some of the details are obscured. it seems that information is being skimmed in a chip&pin transactions to create a counterfeit magstripe cards. possibly both magstripe credit transactions and apparently also magstripe pin-debit transactions (using the pin entered during chip&pin transactions).
what isn't clear is whether the skimming of the magstripe information comes from physically reading the magstripe on a chip&pin card (during a chip&pin transaction) or if there is an image of the magstripe transmitted during the chip&pin transactions (which can be evesdropped). Basically using static data based authentication for replay attacks.
as mentioned in the earlier posts ... there have already been comments about not using chip&pin for internet transactions because of (some) vulnerabilities. internet vulnerabilities tend to either be various kinds of phishing or skimming/harvesting/evesdropping (for replay attacks):
http://www.garlic.com/~lynn/subpubkey.html#harvest
or mitm-attacks
http://www.garlic.com/~lynn/subpubkey.html#mitm
recent posts
http://www.garlic.com/~lynn/aadsm23.htm#16
http://www.garlic.com/~lynn/aadsm23.htm#17
http://www.garlic.com/~lynn/aadsm23.htm#18
as previously noted, the financial standards x9a10 working group in the mid-90s had been given the requirement to preserve the integrity of the financial infrastructure for all retail payments ... this was all as to type of payment (credit, debit, stored-value, e-check, ALL) as well as environment (point-of-sale, face-to-face, non-face-to-face, internet, ALL)
http://www.garlic.com/~lynn/x959.html#x959
http://www.garlic.com/~lynn/subpubkey.html#x959
CHIP AND PIN CARDS IN CHAOS
http://www.tmcnet.com/usubmit/-chip-p-cards-chaos-/2006/05/07/1639879.htm
from above:
Association's spokeswoman Sandra Quinn said: "They have used an old-style skimming device. They are skimming the card and copying the magnetic details.
... snip ...
Eight arrests in GLB1m fraud
http://scotlandonsunday.scotsman.com/index.cfm?id=684712006
from above:
Spokeswoman Sandra Quinn said: "They are skimming the card, copying the magnetic details - there is no new fraud here.
... snip ...
Petrol firm suspends chip-and-pin
http://news.bbc.co.uk/1/hi/england/4980190.stm
however, from above:
A Shell spokeswoman said: "Shell's chip-and-pin solution is fully accredited and complies with all relevant industry standards.
Chip and pin machine Chip and pin cards are designed to prevent fraud
We have temporarily suspended chip-and-pin availability in our UK company-owned service stations.
This is a precautionary measure to protect the security of our customers' transactions.
You can still pay for your fuel, goods or services with your card by swipe and signature.
... snip ...
??? so if it is ok to swipe your magstripe ... where is the information being skimmed (for production of a counterfeit magstripe card) ... is it possible an image of the magstripe is also in the chip and is being skimmed by evesdropping the chip protocol.
Shell PINpads have an integrated chip and magstripe reader.
So it follows that the magstripe info is gathered from the (tampered-with) PINpad.
Shell PINpads have an integrated chip and magstripe reader.
So it follows that the magstripe info is gathered from the (tampered-with) PINpad.
Who makes the PINPad's for their solution? Presumably they must have been tested / certified to be compliant with appropriate standards - so is it the standard or the validation that is at fault I wonder...?
Posted by robb english at May 8, 2006 09:05 AMTrintech - probably the Smart 5000 PED.
Posted by Rog. at May 8, 2006 10:47 AMthis shows a picture of a smart 5000 ped
http://linuxdevices.com/articles/AT5376216178.html
it seems that if you do a magstripe op ... the card goes in horizontal(?) but if you want to do a chip, the card goes in veritically(?). if that is the case, the magstripe wouldn't be read if doing a pin operation?
a possible question was whether chip&pin had an image of the magstripe in the chip which is transferred to the terminal embedded in some protocol. somebody might have specified such a protocol since it would minimize the impact of deploying of chip&pin on the rest of the infrastructure (i.e. after some amount of the chip protocol chatter at the terminal ... a payment transaction could go thru a lot of backend processing with the emulated track1&track2 data).
this might account for one of the news items where Shell said that chip&pin was being disabled ... but that transactions could still be done with magstripe swipe.
also this was the chip&pin "yes card" scenario mentioned in the previous thread, the chip/terminal communication was evesdropped and the skimmed information was used to create a counterfeit chip&pin card
http://www.garlic.com/~lynn/aadsm22.htm#20 FraudWatch - Chip&Pin
http://www.garlic.com/~lynn/aadsm22.htm#23 FraudWatch - Chip&Pin
http://www.garlic.com/~lynn/aadsm22.htm#34 FraudWatch - Chip&Pin
this however shows a more traditional ATM looking card reader
http://www.openpaynews.com/downloads/datasheets/openpayUPT-4000.pdf
another picture (again looks like it is capabile of reading both the magstripe and chip in same transaction)
http://www.trintech.com/Unattended-Payment-Terminals-OpenPay-UPT-4000.html
how does it select between doing a magstripe operation vis-a-vis chip operation ... if the card has been inserted in such a way that it reads both?
i found a webpage describing a hybrid emv/magstripe reader that talks about simultaneously reading the magstripe and the emv chip and validating the two sets of information being consistent.
This article dated feb. 7, 2006 talks about being able to skim magstripe on a emv card and using the information to create counterfeit magstripe cards
http://australianit.news.com.au/articles/0,7204,18033140%5E15397%5E%5Enbv%5E,00.html
Chip and pin hack exposed
http://www.theinquirer.net/?article=31547
According to our source, a team of shysters has been turning up at petrol stations posing as engineers and taking the Trintech Smart5000 Chip and Pin units away for repair. They have then bypassed the anti-tamper mechanisms and inserted their own card skimmer.
... snip ...
this is also could be considered from the angle of my old security proportional to risk theme
http://www.garlic.com/~lynn/2001h.html#61
Bingo! This bears parallels with the old one-way-triangle chipmoney designs. They used in general a diversified key arrangment so if you cracked a user card then you could only duplicate that one card. This threat was addressed by blacklisting within the system (there were all sorts of secret instructions and capabilities in these chip money products, some of which got them into hot water from time to time because of the secrecy).
So, with the diversified key design, the limitation was that the upstream merchant card had to hold the full key, only the downstream user card would hold the diversified key. (Think of it as k and H(k). One can prove the other, but not the other prove the one.)
Which simply shifts the burden of the attack to the merchant, so the merchant in theory had to secure the card more carefully than a user card. I pointed this out on occasion, but it was not considered a grave risk, mostly because I suspect it was actually a _shifting of the burden_ pattern, a la Senge. That is, cognitively, the story had an answer, and going the extra distance to analyse the new story was beyond saturation point.
Posted by Iang at May 9, 2006 05:33 AMsome of the comments in the news today:
Security Expert Says Chip-And-PIN Facilitates ATM Fraud
http://www.cardtechnology.com/article.html?id=20060510KWGALG2S
'Fraudproof' cards attract scammers
http://www.channel4.com/news/content/news-storypage.jsp?id=447024
'Fraudproof' cards attract scammers
http://www.itn.co.uk/news/index_447024.html
'Fraudproof' cards attract scammers
http://www.itv.com/news/index_447024.html
Old technology aiding identity fraud
http://www.smh.com.au/news/national/old-technology-aiding-identity-fraud-keelty/2006/05/10/1146940613348.html
as mentioned previously, the comment from 2002 on pin&chip "yes card"
http://www.garlic.com/~lynn/aadsm23.htm#27 Chip-and-Pin terminals were replaced by "repairworkers"
fraud (which had been going up to that time), was with respect to compromised or counterfeit terminals skimming the chip&pin protocol chatter ... not (necessarily also) skimming the magstripe.
the chip&pin specification here mentions "track1" and "track2" (i.e. the components of the magstripe) in the chip protocol chatter
http://gsho.thur.de/gsho/technik/download/cardspec.pdf
http://www.ttfn.net/techno/smartcards/termspec.pdf
... this is in addition to having the PIN in the chip protocol chatter.
so one question is whether that information (in the chip protocol) sufficiently similar to that used for the magstripe, that it enables the creation of counterfeit magstripes?
the specification also talks about about the signed static application data ... which was what was used for authentication in the "yes card" scenarios.
the "dynamic data" (authentication option) in the specification is supposedly a countermeasure to the replay attacks found with the counterfeit (static data) "yes cards". one issue may be that since "static data" is part of the specification, 1) can sufficient data be skimmed in a "dynamic data" transaction; and 2) then can that data be used to build counterfeit "yes card"; and 3) can such a "yes card" convince terminals to downgrade from "dynamic data" to "static data" operation?
other details in the specification talks about the chip containing sufficient business rules for authorizing offline transactions ... which also contributed to the rise of the "yes card" label ... aka the terminal would ask an "authenticated" card whether to do an offline transaction, and if "yes", also ask the card if the transaction should be approved.
Posted by Lynn Wheeler at May 10, 2006 05:59 PMSo in the following scenario: If it was proven that the retailer had poor internal controls surrounding the operation and maintenance of their CHIP and PIN machines and that a customer would be unaware at the time of transaction that their details were being skimmed, would the customer have a case for claiming any losses incurred from the retailer? Has APACS issued any guidance on this? Likewise can APACS withdraw the retailer from using Chip and Pin until the processes have been tightened up?
Posted by Daz C at May 15, 2006 07:33 AM