With our daily live consisting increasingly of card payments and less cash, it is important to know when you are getting scammed. Traditional cases of skimming magnetic strip cards are decreasing, but novel attacks on modern card terminals are growing up. When do you dare to stick your banking card in a payment machine?

Traditionally, the most popular attack on debit cards is skimming. In this type of attack, the adversary tries to copy your magnetic strip and your PIN, in order to make a copy of your card to collect your money. In practice, skimming equipment is very hard to recognise on an ATM. There probably is some copying device in the card slot, and a camera or keyboard overlay capturing your PIN entry. Especially the latter is rather deceptive, as covering your hands while entering your personal code is not going to help.

Chip and PIN: The Novel and More Secure Payment Method
Luckily, magnetic strips are decreasing in popularity. In fact, one large Dutch bank blocked the magnetic strip for European payments, resulting in a steep decrease of skimming fraud. For this reason alone, I am a big fan of the transition to what is called “the new way of card payment” in the Netherlands.

This chip and PIN payment method refers to using the chip on your banking card for cryptographic operations. Basically, your card can put unforgeable cryptographic signatures on a transaction, thereby authorising the payment. Most importantly, it is nearly impossible to copy a chip on a debit card without using all sorts of tooling that would make the owner of the card suspicious. For example, I would raise an eyebrow when a store owner would start examining the power levels on my card or fetched the machinery for measuring electromagnetic radiation – and even then, it requires quite some expertise to come anywhere without breaking the card.

Novel Attacks on Novel Payments
In theory, chip and PIN payment is a wonderful and very robust method. However, as the real world is not like any theory, there have been some failures along the way. Previously, I wrote about a, now superseded, attack on EMV – the major protocol used by chip and PIN. This was a so-called man-in-the-middle attack. In other words, the adversary puts himself between the card and the terminal. Specifically, the fact that the checking of the PIN and the authorising are separated is abused.

The EMV attack works as follows: the attacker uses a hidden device between the card and the terminal. This device does nothing until the stage where the PIN is to be verified. At this point, it asks the card for a signature verification, which does not require a PIN, and acts to the terminal as if everything is fine. When the actual authorising is started, neither the card nor the terminal notices that the authorisation considers a signature-based transaction, due to the strict separation of those stages. The solution is, thus, making the verification method a strict part of the authorisation.

Additionally, as card terminals are also small computers, they can potentially be hacked. For example, recently there were numerous buffer overflows on both remote and local interfaces of card terminals found. In other words, card terminals have input validation faults, too. When a terminal is compromised, either by its owner or a third party, one can imagine the possibility of transaction alterations and PIN stealing this enables.

Liability: Because That Is What Banks Care About
The real problem with the modern secure payment methods is liability. Where, in the past, an insecure banking card was considered a problem of the bank, that had to refund your losses, the chip and PIN method is considered very secure, which changes this situation. There have been cases where a bank stated that the loss must have been caused by a sloppy customer not protecting the security well, even though, in fact, an unknown attack on the banking card was used.

Considering liability, for banking customers, a not completely secure system with full liability at the side of the bank may be preferred over an almost secure system, where a customer has to involve information security experts to prove that it is not his fault. Researcher Steven Murdoch of the University of Cambridge got his fair share of being such an information security expert in court.

So, Are You Scared Yet?
We cannot conclude differently than that banking card security is getting better these days. Nevertheless, novel attacks are being made and the attack surface changes. Aside of this long running struggle between attackers and defenders, the most interesting effect in practice is the liability shift. In the end, the best thing of banking security always was the fact that banks tended to guarantee refunds when their security was broken.

Leave a Reply

Your email address will not be published. Required fields are marked *