Saturday, November 11, 2006

The Evils or Otherwise of Chip and Pin ...

That's what I get for going to London for a couple of days :( As any fule kno, the Devil's published a bit about some of the intricacies of the cards networks: The Devil's Kitchen: ChipPin' away at fraud. Read it there, including the comments but I posted a bit in response:
If the terminal has not been modified to record your PIN (which should stop it working, but some crims are clever):

When you conduct a transaction, you enter your PIN and this unlocks the card, allowing the card to do a "challenge / response" authentication with the bank (or, if you are below the floor limit in the shop, just saying "I'm unlocked" to the retailers terminal, which then just does the transaction ignoring the rest of this paragraph.) On most machines, you see "PIN OK" or something similar. The bank and the retailers terminal then do a little dance to determine whether you have enough credit / cash, whether your card has (correctly or otherwise) been reported stolen etc, etc. If the bank says "yes", you get your goods, the retailer's terminal gets an auth code and off you go. The retailer can then modify the transaction - look at this in hotels:

You go in, they make a reservation against your card, which you have authenticated with your PIN. When you check out, they get your signature on your bill (which, unless you have been a real pig, is less than the reservation) - they don't need your card in most cases, they really don't need your PIN. (If they ask for them, they are not necessarily defrauding you, but they are doing a new transaction. The reservation will remain against your credit limit until it times out or they cancel it or you complain bitterly to your card company.

I appreciate people's concern, especially scotstoryb, but the systems as currently engineered to allow for amendments , as far as I am aware this is a function of the electronic tills rather than C&P - what would be interesting to know is whether or not this now makes it a CNP transaction (retailer liable) if they make a deliberate (or otherwise) error ...

The HBOS retail person was wrong - they have the bank auth code, they don't have your PIN. (This doesn't detract from the various comments about the relative weakness of Static Data Authentication as opposed to Dynamic Data Authentication C&P cards - see

Now, if as in the earlier Shell case, somebody has modified the terminals, especially where you have handed your card over and it has been "swiped and docked" - as per Tescos - they have your PIN and they have the mag-stripe data. Not enough to clone your chip but enough to create a mag-stripe only card and use it where either they don't do C&P or where the machines will "fall-back" to mag-stripe. The intent was for you to personally place it in the short terminal (therefore preventing the swipe either in a Tesco's style till or swiftly through a stripe copier).
Okay - but why Chip and Pin - it is relatively easy. Much credit card fraud was conducted with "cloned" cards - mag stripe reader/writers are cheap, ISO standard card blanks are readily available, and the more organised fraudsters can produce very good looking fake cards. ATM skimming gave them your PIN as well - and it is much safer to get money from an ATM than to buy goods - and you have cash immediately. Also, for those really interested, until the new Fraud Act, there was always the issue with the crime of deception that it required you to deceive a human, a machine didn't count.

Chip and PIN was designed to make cloning cards (much, much) more difficult. In order to prevent all the fraud transferring to stolen (but not yet reported as such) cards, you also have your PIN, which (read the small print) only you should know, so your card gets unlocked as described above, before it works.

However, there are, as ever in life, a few complications:
  1. The type of smart-card chosen was the SDA rather than the DDA card - this makes it open to PIN capture attacks using modified terminals - see Mike Bond's Cambridge article here. As far as I am aware (and I was nowhere near the decision-making process), the decision to use SDA was taken because of the then cost of the DDA compatible terminals. I suspect that a few bank execs are now re-considering this.
  2. All of our lovely C&P cards still have mag-stripe on the back. This means that if somebody swipes your card, either 'cause they are not yet C&P merchants, 'cause they capture your details for their MI purposes (e.g. Tesco - but they do this, already having swiped my Clubcard - so their computer already knows who I, or my wife, are - still stops them having to train the staff for dealing with "options", I suppose), or because they are collecting data for fraudulent purposes, they can still make a fake mag-stripe card. If they have buggered the terminal (or have a camera, or are just watching you), they have your PIN as well, so can use the card in swipe and PIN scenarios, such as ATMs. I wasn't aware that this was a cards scheme requirement - in the fuss following this press release, I heard an APACS spokes-weasel (may have been Sandra) say on BBC radio that Mastercard and Visa rules meant that we could not have chip without stripe cards. With Maestro having supplanted Switch, we can't even do it for debit cards :(
  3. Many UK devices (especially ATMs) were configured to do "fall-back" - if they couldn't read the chip (or there was no chip) they would just use the mag-stripe data.
  4. C&P was a UK thing, therefore all you need to do is take your fake cards abroad ...
So, looking at the APACS figures, C&P seems to have done most of what it was intended to do. The fraudsters may have migrated more quickly to other methods, the terminal security - tamper evidence (if opened, it would not longer work) - appears to be weaker for some designs than it should have been, and, as was well known, SDA is not a perfect (there is no such thing) solution.


Charlie Whitaker said...

What I'm not understanding is how a retailer can change the transaction amount after the event and avoid a chargeback. Restauranteurs can process a signed receipt on which you've indicated a tip (or used to be able to, before C&P) and hoteliers, car rental companies, etc. can charge up to the amount reserved on your account. In all these cases, the vendor has obtained agreement from the customer in advance.

Surely by definition what the PFS retailer is doing, as described in the story, is a cardholder not present transaction for which they have no consent.

S. Evil said...

Hmm, yes. How "can" the retailer - or "should". There is a moral / legal / technical ?tri?chotomy here. It is technically possible to alter the transaction before it registers on the back-office system. This is the equivalent of transactions waiting for the tear-off or till-roll to be processed.

Altering a card transaction to reflect the legal bargain agreed rather than the mistake made is technically possible, legal and moral (the last, merely IMHO), regardless of in whose benefit the original error was.

Altering a transaction to change the legal bargain is illegal and immoral. However, it uses the identical technical mechanism.

Whether any such change is a CNP transaction or not depends on the contract between the merchant and the acquiring bank - I don't know enough about these but I assume that the original auth code would probably apply (i.e. the bank is liable for transactions which are not fraud on the merchant's part.)

HTTP Error 403: You are not authorised to access the file "\real_name_and_address.html" on this server.

(c) 'Surreptitious Evil' 2006 - 2017.