[Dave Birch] Well that was dull. I got all excited about this…

Whatever you buy in the shops, you probably pay with a chip and pin card, tonight Newsnight has exclusive evidence that they are vulnerable to fraudsters. The implications could be huge for millions of shoppers. We’ll be asking what are the banks going to do about it?

[From BBC NEWS | Talk about Newsnight | Tuesday, 26 February, 2008]

But it turned out not to be an exciting breach of chip and PIN security, using (for example) liquid nitrogen to extract keys or something similar, leading to “chip and PIN” fraud, but “PIN fraud” as usual. The allegation — which is, as far as I know, wholly true — is that track 2 data and PINs are being stolen from compromised terminals and then used to create counterfeit magnetic stripe cards. Sandra Quinn from APACS, who was being tortured by Paxo (it’s a peculiarly British bloodsport), said — again, wholly true — that ICVV has been introduced from 1st January 2008 to mitigate this particular fraud. For the uninitiated, ICVV replaces the CVV in the Track 2 (equivalent) data stored in the EMV chip. Thus, if a bank host sees a magnetic stripe transactions with the ICVV in it, they know it’s a counterfeit stripe. The ICVV varies from CVV by replacing the PAN Sequence Number with 99 instead of the actual value when deriving the code.

I must point out, in the spirit of shared openness and truth seeking, that we just checked the three cards we could find in our office that were issued after 1st January 2008 and we found that the Barclaycard and the Nationwide card do have ICVV, the other unnamed large U.K. issuer’s card doesn’t have ICVV. So, on balance, Sandra wins!

The guys at Cambridge (who were featured in the programme — I’ll see if I can grab them for a podcast next time I’m in Cambridge) made a number of good points (asking, for example, why cardholder data is sent between cards and terminals in the clear) but in essence it’s the same story that we’ve been tracking here for years. Not that I’m in any way dismissing the real problems that it means for members of the public whose cards details are compromised in nobbled terminals. And Ross’ key point that PINs used to be only used in controlled environments (ATMs) but are now used everywhere and are therefore easier to steal is, of course, unanswerable. The solution is to stop using magnetic stripes, of course, but that looks some way off!

Following on from the programme, and yesterday’s blog posts, I was once again thinking about the difference between tamper-resistant and tamper-evident. As far as I am aware — but I’d be delighted to receive more information on this topic — there is no requirement for EMV POS terminals to be tamper-resistant but they are supposed to be tamper-evident. The always-worth-reading Nick Szabo had a good post talking about tamper-evident technology. He wasn’t talking about smart cards that blow up when you probe them, but the ancient Sumerian equivalent. Along with the tamper evident clay (once you’d baked it, no-one could change it), they developed a kind of virtual tamper evidence. It took the form of two sets of numbers. On the front of the tablet, each group of commodities would be recorded separately. The example Nick gives is that on the front of a tablet would be recorded 120 pots of wheat, 90 pots of barley, and 55 goats. On the reverse would simply be recorded “265”, the total (without categories). The scribe, or an auditor, would then verify that the sum was correct. If not, an error or fraud had occured. Note the similarity to tamper evident seals — if a seal is broken, this meant that error or fraud had occured. The breaker of the seals, or the scribe who recorded the wrong numbers, or the debtor who paid the wrong amounts of commodities would be called on the carpet to answer for his or her discrepancy. So there we go: clay seals for all Shell garages and the problem is sorted!

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

4 comments

  1. Reports on fraud show that the government and banks should realise that their data protection and Chip and PIN systems are failing to deter fraudsters.
    This shows that fraud will continue to grow until they exploit ID KEY system described on website http://www.xwave.co.uk to make signature and PIN systems reliable and foolproof.
    Fake documents have made our signature system unreliable while skimmers and pin-hole cameras etc. have made PIN system unreliable. We have option to make signatures reliable by personalising them with ID stickers and option to use Card Key Code to make PIN system reliable to make use of stolen and skimmed cards meaningless. By ignoring to exploit this system banks are only letting fraud crimes grow.
    ID KEY system will eliminate the need for us to protect our personal and card details since fraudsters will be deterred from misusing these stolen details.
    Proposed ID KEY can be treated as a reliable international ID card because it will personalise signature and PIN number to only the right individuals in any country.

  2. Small corrections
    > iCVV has been introduced from 1st January 2008
    Actually it was available from the very beginning of EMV migration however it was not (widely) used by the banks and was not mandated by payment systems. The question is why?
    >The ICVV varies from CVV by replacing the PAN Sequence Number with 99 instead of the actual value when deriving the code.
    Should be replaced with
    The iCVV varies from CVV by replacing the Service Code with 999 instead of the actual value when deriving the code.
    The actual algorithm doesn’t matter as the point is to have magnetic stripe image on chip different from magnetic stripe.
    iCVV doesn’t solve the problem of skimming of course but it makes it impossible to steal track data without cashier’s assistance (if magstripe reader is separate from chip reader as they usually are in attendant terminals)

  3. “The iCVV varies from CVV by replacing the Service Code with 999 instead of the actual value when deriving the code.”
    You are correct. I should have checked this before I posted rather than going from a faint memory.

  4. “So, on balance, Sandra wins!”
    Astounding statement, unless this is just sympathy at being tortured on national TV. So you have checked 3 out of how many card issuers?

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: