more here:

http://www.lightbluetouchpaper.org/2008/02/26/chip-pin-terminals-vulnerable-to-simple-attacks/

the problem being that the pin terminal doesn't authenticate itself to the punter.

I always said that details would be lifted straight off the RS232 interface (and they have been), but this... Possible but not worth the arseache? I stand humbly corrected!

Just watched:

http://uk.youtube.com/comment_servlet?all_comments&v=SIHw7C73s3E&fromurl=/watch%3Fv%3DSIHw7C73s3E

So tell me how long it's going to be before you give us a decent explanation to how all this sort of stuff goes on?

... how the hell is the average customer supposed to defend against this one?

"Excuse me, can I weigh your card swiper before you rack up that transaction"?

I'm a bit surprised they're not inspected in-country and sealed with a sticker or maybe even a wire-and-lead seal before being issued to merchants. Maybe that's what's needed.

I'm glad to be (currently) living in Canada

But considering the state of the financial sector, we'll soon be back to trading goods without cash, so...

Well, Chinese mafia should get a well deserved applause for this one.

If mastercard and visa used a proper x509 smartcard and signed each transaction on the card instead of symmetric voodoo pseudo-security this would not have happen. You cannot clone such card as the private key never leaves it. It is more expensive, but its worth it.

Sigh... When will they learn... If ever...

Outsourcing a product of this sort of security importance to places where corruption is a daily part of life. Considering its now costing banks million of dollars maybe they'll think about bringing the production back to places which are a little bit more secure?

Nah probably not - the losses can be written off as a tax deduction no doubt, where as the manufacture of these things still costs money they cant write off. So dont expect this to change anytime soon!

serves them right....

the big supermarkets should have blocked mobile phone useage within thier shops

as these hackers are using blackberrys embedded in the terminals!!!

bet you there is one of these dodgy devices embedded in checkin 23 at asda in norwich!

as BB's give me super migraine when they start transfering data onto the network, and i got hammered one evening whilst paying for goods there last year! there was no one in either que's who had one as i asked at the time, so its odds on there was something dodgy in the checkout kit.

ill ask, later when im up there to see if they had thier terminals checked yet!

hmmm maybe its time i bought one of those mobile phone jammers to go with the wifi one i have :)

Mines the one with all the short anetennas sticking out the collar....

If the card had a membrane keyboard 0-9, OK/Cancel, which was wired into the on-card chip, the PIN would never go near the terminal. Could that not eliminate the "untrusted terminal" problem?

EXCUSE ME???

So the standard Chip and Pin unit cannot perform a firmware and hardware check on itself before being allowed in to shops?

I swear that even the Xbox 360 checks it's hardware and firmware whenever it wants to connect to xbox live, so why don't the chip and pin units do this with bank servers, displaying a simple message on-screen?

If microsoft can do this, why can't people who make ultra-secure money-handling devices secure?

i asked a manager in Asda, it looks like they binned all thier chip-n-pin units on all checkouts and replaced them with brand new ones about 2 months ago, so this problem is probably well sorted by now.

For the bad guys Chip & PIN is a dream come true. As a bad guy I want cash. In the past I had to clone your card and use it to buy goods, and sell them for 10% of their value to get cash. Now I copy your card and PIN by one of the multitude of methods, stick in an ATM in somewhere far flung and get cold hard cash.

Simple solutions, either a mandatory different PIN for ATM use, make ATM use optional, or subject to a maximum 'one off' emergency withdrawal.

But then the banks couldn't charge the morons who do make cash withdrawals on a credit card.

I am not in the least bit surprised this has happened, the only surprising thing is that i has not been detected earlier.

So is it about time that sensitive stuff like this is taken out of the globalisation voodoo crock and brought in-country and sourced from extremely reputable suppliers.

And in a separate and _entirely _coincidental item, if anyone in the target stores or supply chains in these EU countries wants to report the problem, or doesn't want to cooperate, they or their families are without any meaningful legal right or means to defend themselves when the thugs arrive to "convince" them.

Yay for being able to refuse, on principle, to cooperate with a scam and survive the refusal...

> the big supermarkets should have blocked mobile phone useage within thier shops

Would risk annoying more customers and losing more money than from the fraud?

Perhaps just weighing the terminals before plugging them in would be cheaper...

First of all getting the firmware to do a self check would archive nothing it the data is being tapped and decrypted. Second putting a keypad on the card would be pointless as you could manufacturer cards that did not need a pin once the protocol was broken.

Better would be to test the units for any gsm signals or any doggy packets. a bit like a soak test testing for emc.

It may just be quicker to crack them open.

Pay with cash!

the trojans that Chinese and other manufacturers are putting on the Hard Drives that they

produce and ship to the West !. Pretty scary to think some **** controls your computer with a root kit or other variation on your brand new hard drive that is undetectable.

They have chip-reader ATMs in France and Belgium ... about time they introduced them in the UK - HOW many years after official Chip&PIN launch ?

These devices that were piggy backed into the hand terminals were simply wired into the data and power lines on the devices, they were not interupting the data flow but simply listening in on it.

As such you cannot simply add hardware to watch and match the impedance of a digital signal as it exits a PIC or hybrid chip and goes into another on the same board. (yes you could in theory start increasing the density of the chips and add encryption to the data flow, but it all adds substantially to the cost(yeah, like replacing major parts of the cash till as well), and as we have seen the manufacturer will always pass the cost on to the consumer - YOU!).

Simply replacing ALL the chip-n-pin units then ensuring they were effectivly destroyed (sledgehammer time then off to landfil no doubt) wasnt the most envomentally way to dispose of the problem either) .

Dont forget, there are still thousands of these compromised devices out there, the big supermarkets are dealing/dealt with the problem, and do it very fast due to thier sheer size and economics of thier business.

There are many businesses that will have to bear the cost of replacing these units (which are not cheap!) themselves, even though it is the supplier VISA/MASTERCARD/BARCLAYS that are the ones forcing this equipment on them.

Since it is the equipment supplier that is at fault, it should be them that bear the full blame and cost of the replacement of these devices...

along with full compensation to all customers who have been compromised...

mines the one weighing 3 ounces to much.... with the funny chinese ringtone........

@ lglethal

CC companies pass the loss off to the merchant who accepted the fraudulent transaction...the do some investigations to look like they are pro consumer and anti fraud, but they don't really have that much incentive to prevent fraud.

@P. Lee

Weighing the terminals before plugging them in only works until the crime gangs manage to get their equipment included earlier in the design / manufacture cycle.

What the hell are we doing making these in Packistan? Hellloooooooooooooo

As I understand it, the supermarkets couldn't care less. They get the money from the bank, and because it was verified by a PIN, the risk of the transaction is borne by the banks (or the cardholder).

Hmm, tricky one.

1 - it's an add-on, so the electronics won't detect changes as inputs are tapped before they get to the tamperproofing

2 - if you block mobile comms there will be another way. You're fixing the wrong problem (more on that later)

Now, little disclosure here: I actually work for the company that solved this whole problem about a year ago (well, actually several years ago, but now it's becoming a "real" company :-).

What you need during a transaction (i.e. the problems):

1 - ensure you're talking to the actual account holder

2 - assure to the account holder that you are, indeed, the payment handler

3 - secure this whole process to ensure authentication, authorisation, confidentiality and integrity of the process.

Where an ATM as well as a CC terminal fall down is point 2 (well, OK; 1 as well, PIN is easy to tap) - that is never done, in a fashion identical to you calling the bank you're never assured it is indeed the party you want to talk to (tip: NEVER talk to the bank if they call you unless you know the voice of the banker personally - which is IMHO rare). Point 3 is inadequately dealt with by the "secure shell" approach (secure network and "secure" terminal, which means a rogue insider -network or hardware- nulls your whole approach). QED, clearly.

The solution is to put the security on the card, AND THE DISPLAY. This requires a safe card (i.e. with crypto chips), and a safe transmission medium. I have seen couple of credit cards under development that have fingerprint readers (tricky to keep working unless you use a sleeve as a reader is quite sensitive), thus authenticating users (or parts thereof), and I've seen some that have a display (power supply question, plus connection requires driver installation - thus again software risk) which confirms the transaction and could theoretically solve the terminal issue by means of crypto-on-card. So a system that can accept input of sufficient volume to support end-to-end crypto but does not rely on a physical connection is better.

Another advantage of non-physical connection is a degree of asymmetry. If you want to use biometrics you should do so locally, on the token only (no big brother databases to protect or worry about). Having no data path OUT of the card/device/whatsit means that that fingerprint data simply cannot leak even if the card was compromised.

But you'll need both to do it right, and you're having to convince various people that investing money again is a good idea. Imagine how the person must feel who carefully worked out the existing solution which hasn't been written off yet, and you can see why it will take a while before new solutions will become available to you. First they need to know about the newer solutions, need to be assured it actually works, work out ROI and find out if customers actually want/like it. Ease of use is very important or the customer will bypass your new solution where they can, or -worse- go to the competition instead.

It'll be in the press soon enough - I will supply El Reg a few to play with once we have a production volume. Until then I won't mention the name because that would be unfair advertising (maybe that's unusual, but I'm in engineering, not Sales :-) ).

"the trojans that Chinese and other manufacturers are putting on the Hard Drives that they

produce and ship to the West !. Pretty scary to think some **** controls your computer with a root kit or other variation on your brand new hard drive that is undetectable."

Stop hitting the hookah. You know how a hard disk works, right? Like, it's ATA compatible and stuff?

It's not the retailer that takes the hit. The info is used to clone a mag stripe card, which is then used at an ATM somewhere abroad where chip'n'pin doesn't exist yet.

Two solutions - either ban using the same PIN for chip and stripe, or do proper x509 cards with on-chip authentication.

A quote in the article says the hackers are performing at a level of sophistication that rivals foreign intelligence services. The implication: Payment card data security requires much, much more than just forcing merchants to lock down data and comply with the PCI (payment card industry data security standard). Card data security is on par with national security issues. Card security requires wholesale rethinking of the credit card system. The US Federal Trade Commission misunderstands the magnitude of the problem. The FTC is locked in an old-fashioned belief that data in-security is due to stupid merchants (like TJX) treating consumers (and their privacy) "unfairly" by failing to secure their systems. We need fresh thinking and better leadership on this issue from the FTC. --Ben http://hack-igations.blogspot.com/2008/03/ftc-treats-tjx-unfairly.html