Gaping hole in Chip 'n' PIN security

I had a vaguely similar experience recently - ordered some stuff online for work from a very large, well-known UK supplier's website.

I wanted to pay using the company credit card; got as far as the "Mastercard SecureCode" verification page but didn't know the passphrase and no-one else around did. Hit "cancel" but got a "Thank you for your order" screen. A phone call to the company confirmed that payment had been received.

I had that just a minute ago. It claimed to be Natwest Bank's website, but examination of the security certificate showed that it wasn't. It was from an "unknown" entity. So I cancelled the transaction.

If you mean Cyota Inc., that's relatively Man in the Middle secure for a UK bank. The normal situation is that the certificate is that of the credit card processor, at which point I give up and see if the company will take BACS transfers.

Yes, it's quite possible for the transaction to proceed with no PIN verification at all. Needless to say, most of the time this option is turned off. It's entirely down to the bank's risk model.

I'm not familiar with the French terminals, but it's possible the terminal wasn't actually doing an EMV transaction at all. I think I've heard of Carte Bleue terminals asking for PINs which were Carte Bleue PINs and not much to do with EMV. Lack of CB might mean a magstripe fallback - was there a facility to read the magstripe on the terminal? (Most of the magstripe data can be read from the chip, but on the recent cards not the iCVV which allows magstripe transactions). Though the fact that the PIN retry counter was decremented (as shown by your later attempt) does indicate that EMV was going on. At the end of the day it's up to the retailer and the bank to make the decision what to accept.

Theo

And when the card-holder discovers his card's been stolen and used without the PIN, the bank will claim he must have entered the PIN, so he's liable for the transaction. And no-one can prove otherwise.

Which makes me wonder how this legitimised theft still made it possible for banks to go bust.

Well I've since spoken to my bank, and that's pretty much what they said. Apparently retailers have the option to over-ride the PIN if they choose. The bank told me that that's an extra risk for the retailer, that they can either choose to take or not. They told me that my transaction was shown on their system as "PIN over-ridden", which means that if I'd queried the transaction and the restaurant couldn't produce a bit of paper with my signature on it, then in theory, I'd get my money back.

Whether that would actually happen in practice, of course, is another matter.

Adam

In message , Adam writes

Does this mean that yet another "gaping hole" has been filled?

There was some interesting stuff on Watchdog tonight about using Wi-Fi points in cafés, hotels or just about any public access point.

The advice: never use a Wi-FI point if to visit web sites which involve entering your user name & password, and it follows: don't use Wi-Fi access points to access your email account.

They demonstrated how your account could be Hi-Jacked and you could be locked out of it.

All of which suggests that using ssh to access a command line/text only based E-Mail system is the way to go.

It's a sad reflection on modern life that people don't seem to be able to work that out for themselves.

Remembering to use public key, or at least challenge-response, authentication not password. Alternatively, if you do use a web or gui based mail reader make use of SSH's port (or X11) forwarding facilities and connect via your (fixed line) home or office system.

and what % of the population know this, let alone being able to configure it?

The whole verified by visa & mastercard setup is designed to break every rule that people have been taught for online security. It's a stupid system and has failed for me once. It claimed my password was wrong, so after discussions with droid on the phone she recommended resetting password. Which I did, only it wouldn't because I wanted to use the same password as before and it claimed that this wasn't possible... which meant I had got the password right earlier, it'd just been acting up. Oh and the set up doesn't work in firefox (or didn't) - which of course I only found out after a lot of messing about.

There's no sense in having popups, in page or otherwise to other addresses that are not connected with either the shop or the bank. It's confusing and just plain wrong.

If they want people to verify online then they need to issue dongles producing ids like they do for logging in to bank accounts.