ATM fraud and C&P

I see. You were imagining a totally foolproof self-destruct mechanism. How would you make it foolproof?

OK, if the security involves no obscurity, we may assume the full spec of how it works is available to our attacker, and the attacker therefore has the ability to re-create the whole chip as far as the hardware is concerned. The only thing missing is data stored inside the chip.

The kind of attack I was invisaging involves digging the chip out of its protective covering and using microscopic probes onto those bits of the chip which are normally inaccessible, i.e. hidden behind the processing unit which normally communicates with ATMs and shop EFTPOS terminals. Bypassing this "firewall" gives the attacker all the info needed to clone the chip completely. The probes could directly measure any charge stored in the chip's memory cells, without the chip even being powered-up at the time. Do you think it would be wasy to make a self-destruct mechanism capable of defending the chip against that kind of attack?

Without a hint of irony, Ronald Raygun astounded uk.finance on 14 Nov 2004 by announcing:

By having to charge so much for such a device that nobody would buy it in the first place. Protection against attack from freezing, probing, voltage/current, X-ray etc. is possible but costly.

And how easy would it be to mount such an attack?

I don't know, it's just an idea. I doubt it needs to be easy, just possible. It might be very expensive to do, which would put the approach beyond the means of small-time crooks, but if the potential profits justify the development cost, organised syndicates could well decide that it's worth bank-rolling. I suspect such an attack would be easier to mount than to defend against.

So I repeat: Do you think it would be easy to make a self-destruct mechanism capable of defending the chip against that kind of attack?

More to the point: Do you agree that present-technology chips are susceptible to such an attack?

And not particularly possible in a device that has to survive living in a persons pocket/bag/car in temperatures ranging from -lots to

+lots pass through x-ray machines, and generally be knocked about rather a lot.

Jim.

Without a hint of irony, Ronald Raygun astounded uk.finance on 15 Nov 2004 by announcing:

Nothing is completely secure. However, I understand that with current technology levels the time necessary to mount a brute-force attack against the chip exceeds the lifetime of the key stored thereon (and the card itself, obviously).

I don't know. I was *asking* whether there was any theoretical reason why a self-destruct mechanism gould not be completely proof, not only against fools but agenst determined smart attackers.

Yes.

I don't know whether it would be wasy. I don't know whether it would be easy, wather.

I dare say there is no theoretical reason, but it's practical reasons that matter. It's not much consolation to fraud victims to learn that what happened to them could well have been theoretically avoidable.

Forget wasy. How about raleistically achievable?

"Alex" wrote

One minute later, "Alex" wrote

Why is it stored on the magstripe, if the reader doesn't bother looking at that to decide whether there should be a chip or not - but simply tries to "talk" to a chip anyway & ignores it if it gets no answer?

There is some scope for confusion here. I thought we were talking about a reader which can read both, without the need for the operator to take any action. Basically, a swipe ending up with the chip "connected".

I now suspect such readers are rare. I noticed yesterday when I bought something at Asda, the checkout chick, noticing that my card had a chip, stuck it into the chip reader and was getting no joy (this is a card for which I do not (yet?) have a PIN) and then, without raising an eyebrow or speaking a word, stuck it into a *different* reader attached to the

*same* till to read the magstripe, whereupon all was well. For the avoidance of doubt, I wasn't asked to enter a PIN; the machine must have known I didn't have one.

Is there also a service code on the chip which says "don't look at me, I'm only the piano-player, go and read the stripe"?

Without a hint of irony, "Tim" astounded uk.finance on 18 Nov

2004 by announcing:

To instruct the terminal that this card has a chip on it in the event that a cashier tries to read the mag stripe first.

Without a hint of irony, Ronald Raygun astounded uk.finance on 18 Nov 2004 by announcing:

Swipe & Park; they have them in Tesco AFAIK.

You will *not* be asked for a PIN unless the transaction is processed via the chip, since it's the chip that authenticates your PIN.

No. There are several reasons for the chip transaction not to go through, including but not limited to:

• Faulty chip

• Faulty chip

reader

• Card doesn't actually contain an EMV chip

• No valid application on the chip

• Application has expired

And what will it do in that circumstance (when the chip doesn't actually exist, even though the magstripe says it does)?

Does it try to read the non-existant chip, then still proceed using the info from the magstripe as for a *non*-chipped card (as you agreed it did earlier)? In that case, is there any point in having the info on the magstripe at all??

If it is going to proceed using magstripe when a chip doesn't "talk back" to it, then surely there is no point in having the magstripe tell it there is a chip (really it would just be saying "there *might* be a chip - go check!" - which could be the procedure in all cases & save having the info on the magstripe).

Conversely, if the info on the magstripe (that a chip exists) is to be of any real security use, then the system should *not* accept the transaction via info on the magstripe when the magstripe says there should also be a chip.

Without a hint of irony, "Tim" astounded uk.finance on 19 Nov

2004 by announcing:

The chip will exist. If there is no chip on the card, the service code will not say there is. If the card is inserted but the chip cannot be read, the terminal prompts the user to swipe the card. Theoretically this allows a dodgy merchant to insert a duff card and then perform a mag swipe transaction on the real card.

We have been talking about dodgy fraudsters simply "killing" the chip (removing it, whatever) - and so using a stolen card using 'magstripe & signature' instead. In that case the chip *won't* exist. And also the service code *will* say that there *is* a chip.

Scripsit Alex

Then how come I've been using PIN for >10 years but only got a card with a chip on it this spring?

That was an online PIN you've been using. EMV introduces offline PIN.

In message , Henning Makholm writes

Because youve only ever been asked at an ATMs. This thread is about PINs at retail outlets.

In message , Matthew writes

No, PINs have always been 'offline' in so far as the PIN has always been stored on the card.

Scripsit john boyle

Actually not, but I was playing the deliberately-obtuse game and immediately thought better of it and tried to cancel my message. Unfortunately many news servers do not (for excellent reasons) process cancels.

The full story, now that the cat is out of the box, is that my >10 years of PIN use did not happen in the UK. Since the mid-1980's, retail transactions in Denmark using Danish-issued cards have been swipe-and-PIN. When going (and, recently, moving) abroad I have always been stuck by the sheer bother of signing and passing little paper slips back and forth each time I wanted to pay something with plastic. Nowadays I prefer using cash. It feels easier and safer than the paper slip merry-go-round. I do find it somewhat bemusing to read these discussions where PINs are invariably presented as something that is tied to having a chip on the card.

But all of this is admittedly only tangentially relevant, if at all, to the thread, and I apologize for having the bad idea to try to angle it in sideways.