February 27, 2008
Attack on Brit retail payments -- some takeways
Some of the people at U.Cambridge have successfully and easily attacked the card readers and cards used in retail transactions in Britain. This is good work. You should skim it for the documented attacks on the British payments systems, if only because the summary is well written.
My takeaways are these:
- the attack is a listening/recording attack in between the card readers and cards
- the communications between reader and card are not secured (they say "not encrypted"), so easy to tap,
- the attack hides inside a compromised reader (which is slightly but not significantly tamper-resistant)
- the cards themselves have "weak modes" to make the cards usable overseas,
- the card readers are available for sale on eBay!
- the certification or independent security review is done in secret.
Many others will write about the failure to use some security protocol, etc. Also note the failure of modes. So I shall add a postscript on the last point, secrecy of architecture. (I have written before about this problem, but I recall not where.)
By placing the security of the system under the wrap of secrecy, this allows a "secure-by-design" myth to emerge. Marketing people and managers cannot resist the allure of secret designs, and the internal security team has little interest in telling the truth (their job is easier if no informed scrutiny!). As the designs and processes are secret, there is no independent check on the spread of this myth of total security.
At some point the organisation (a bank or a banking sector) internalises the myth of total security and starts to lean heavily on the false belief. Other very-needed parts of the security arrangement are slowly stripped away because "the devices are secure so other parts are not needed."
The reality is that the system is not "secure" but is "economically difficult to attack". Defence in depth was employed to raise and balance the total security equation, which means other parts of the business become part of the security. By way of example, the card readers are often required to be tamper-resistant, and to be "controlled items" which means they cannot be purchased openly. These things will be written into the security architecture.
But, because all the business outside the security team cannot see the security architecture -- it's secret! -- they do not know this. So we see cost cutting and business changes indicated above. Because the business believes the system to be totally secure -- the myth! -- they don't bother to tell the security team that the cards have dual modes, readers are now made of plastic, are sold on eBay. The security team doesn't need to know this because they built a secure system.
In this way, the security-model-wrapped-in-secrecy backfires and destroys the security. I sometimes term the arisal of the myth within banks as organisational cognitive dissonance for want of a better term.
Posted by iang at February 27, 2008 05:00 AM
recent post on this subject with some additional references
as i've mentioned before, we were called in to consult with small client/server startup that wanted to do payment transactions on their server (also had invented this stuff called SSL)
which is frequently now called electronic commerce.
we then also got involved with the x9a10 financial standards working group that had been give the requirement to preserve the integrity of the financial infrastructure for all retail payments. part of this included doing detailed end-to-end vulnerability and threat analysis.
various vulnerabilities/threats ... some of which were decades old
compromised card acceptor devices (both magstripe and chip)
security and data breaches
replay attacks because of associated static data paradigm
some of this has been previously discussed in the threads related to naked transactions ... misc. posts here
the x9a10 financial standard working group produced the x9.59 financial standard
part of the standard was making x9.59 immune from evesdropping, security & data breaches, various skimming attacks and some of the card acceptor device compromises.
x9.59 didn't do anything to hide the transaction information ... but it made it useless to the crooks for purposes of doing fraudulent transactions.
we've claimed that the major use of SSL in the world is its use in electronic commerce ... which we had previously done ... for hiding financial transactions. however, x9.59 standard turns out to eliminate needing SSL to hide electronic transactions as a fraudulent financial transacton countermeasure.
The remaining cases of compromised card acceptor devices, we had claimed would require personal transaction devices ... possibly built off of cellphone or PDA platforms using wireless interfaces (since x9.59 had already eliminated evesdropping on the internet as a vulnerability ... it would also eliminate wireless evesdropping between POS
interface and a personal transaction device, as a vulnerability).
some of this can be seen in discussions involving the EU FINREAD standard from the 90s. FINREAD would be a personal card acceptor device that met some integrity evaluation criteria. However, in the FINREAD standard ... there was no provision to provide assurance to a financial institution that a FINREAD device was actually being used.
X9.59 provided provisions for things like dual-signatures ... one to authenticate the entity generating the transaction and a second to authenticate the environment integrity where the transaction originated. This is something we referred to as parameterized risk management ... being able to provide the approving financial institution additional assurance about the environment and possibly location where the transaction was performed.
This was covered fairly extensively on the evening news in the UK the night before last.
It headlined on newsnight, and Paxman interviewed an industry spokewoman who came off with very little credibility.
Take a look at www.bbc.co.uk/iplayer and search for newsnight any time in the next four days and you can watch the episode (26/2/08).
The other thing that is notable was the a few days earlier there was another of those scandals where a large proportion of a community had their card and pin details stolen by a compromised machine in a petrol station, followed by a bunch of foreign withdrawls. The governments reaction seems to be to have issued a directive that credit card fraud should be reported directly to the banks, and not to the police. And banks have started to become more inclined to accuse card holders of not protecting their own pin and refusing to cover losses unless there is evidence (such is in these mass frauds) that it wasn't due to individual user carelessness.