I'm having a surprising amount of trouble finding this information online: does the "chip" include some functionality (maybe called iCVV or dCVV) that allows it to individually "sign" transactions using internal secret keys, or does it not? This was my understanding of why the new system was supposed to be safer.
If the answer is yes, secret keys that never leave the chip are used to sign each transaction and the signature is verified by the bank, I'm not sure how these "shimmers" would be useful, since the secret key would presumably not be compromised and so the shimmer may obtain some data identifying the card and transaction but not the ability to sign new transactions. If the answer is no, none of this is happening, then I'm not sure what the point of the switch was in the first place.
Maybe the answer is something in between? Banks suck, so they've implemented chip cards in a half-assed way with gaping security holes?
The answer is yes, most chip cards can do public key cryptography to sign a transaction without compromising the secret key burned in.
Also, more frequently than I would wish banks or payment processors ask payment terminal operators for a "simpler", meaning less secure, transaction protocol. Most often it's for compatibility with some legacy system from the 80's somewhere in their payment validation backend.
From my experience in the industry, this happened very rarely in Europe but considerably more often in the Americas and Middle East.
It's not the cost of conversion, it's that the fraud just vanishes in the insane rents American credit card processors extract. In the EU, these fees are limited to 0.3% for CC and 0.2% for debit cards, so there is less margin to just keep paying the fraudsters instead of updating systems.
Notable the article is from Canada. Here in Canada virtually all retailers have been using chip+pin for a good number of years now. The same in the UK, where they have been using it for over 10 years. Retailers have to use chip+pin to avoid fraud liability.
In the USA, however, a lot of retailers were still using signatures up until a year or two. It seems to be only in the last year that retailers are starting to move to chip+pin. I think it is simply the large number of credit card terminals, and the cost of upgrading them all.
They are not moving to chip and pin, but chip and signature: very different.
Now, the internet being a bigger share of retail every year, chip and pin is not an improvement: what we need is 2FA across the board. You have my CC number? Great. Without my 2FA secret, you won't be able to charge me anyway.
This 2FA beats a pin, and would make payment fraud so much smaller, it'd become a minor thing, but good luck finding a bank in the US offering such feature for all charges.
>They are not moving to chip and pin, but chip and signature: very different.
No, that's not quite true. They are moving to chip+pin, but some card issuers are not currently issuing PINs. However the machines themselves fully support chip+pin (and I can confirm this, as most places in the USA now require me to enter a PIN for my card).
And even if you want a PIN for your card, the credit card company doesn't know how to give it to you. Last summer, before I went to a conference in Canada, I called all 3 of my credit cards's customer service departments trying to get a PIN (American Express, Discover, MasterCard), and none of them would issue a PIN for my chip'ed card. I don't think any of the CSRs even knew what I was talking about. One even told me that PIN's were "just for debit cards". Sigh.
Some European banks implement that second factor, although most commonly using an SMS or phone call.
Mine only does it when the transaction is large, or unusual. I get a call asking me to confirm the transaction. Maybe they ask some other information, I can't remember.
I've only had it happen for over-the-phone purchases, and when using a debit card to transfer about £5000 via TransferWise.
I haven't been to the USA for a while, and most other countries have a working (not new) Chip+PIN system, but I assume magstripe transactions would be considered higher risk too.
It's been easy for me - I call my bank ahead of time and tell them where I'll be going,the duration of my stay and my number while I'm there. They usually ask for a backup number just in case I'm not reachable.
Actually the major card companies set deadlines and have all now shifted the liability for swiped transactions onto the retailers. So it's up to them to get their systems updated if they want protection.
The only exception currently is for gas pumps, for which the liability shift has been extended until 2020.
This sounds like the attack presented at DEFCON 19 (in 2011!): https://www.defcon.org/images/defcon-19/dc-19-presentations/.... Basically, the chip used to contain all the information present on the magstripe, which made it easy to create a copy of the magstripe via the chip interface.
From the issuer side, the solution to remove this risk is simple (and I believe I was told it in an EMV implementation seminar 10 years ago):
If the incoming transaction lists that the terminal is chip&pin capable, so you'd simply automatically reject a magstripe transaction with a code that should result in POS showing "please insert card in the chip reader";
If the incoming transaction lists that the terminal is not chip&pin capable, the merchant has chosen to be liable for all fraud cases themselves, so it can't cause a loss for you and your customers. It is an inconvenience, but as all the fraud in the country concentrates on the (fewer and fewer) merchants accepting these transactions, it causes an increasing financial pressure on them to switch.
If you try to swipe a chip card then yes, the terminal will reject the swipe and tell you to insert the chip. If your chip fails three successive tries, the terminal will accept a mag swipe instead. I don't know if this is true everywhere but I have seen it in multiple retailers across the US. Point is, if attackers are cloning mag cards from chip data, those cards can still be used in chip terminals.
That can be true, but then the transaction is considered "fallback" and most issuer Banks that have any brains will be examining these very closely with their real time fraud systems. Some deny fallback outright, but I am not sure if this is within scheme rules, it may depend on the region.
They have to know for fraud investigation. I believe it's also why many companies can't upgrade: they need a new POS that can log the transaction as stripe, chip or NFC/Apple aPay
This is interesting. I would totally believe that with the information you can intercept passing between the chip and the reader, you could in some cases construct magnetic stripe data that would be recognized as valid.
It kinda seems like the magnetic stripe system should be completely separate from the chip system. Make it so that the card ID (or whatever) reported by the chip can never be used for swipe transactions, and vice-versa. Combining them just seems to cross-product-ify the attack surface, which is dumb.
In France it always has been 100% chip & pin, but if you have a hardware like this device between your card and the card reader, it can apparently intercept any signal, including the pin code.
I don't know how exactly the protocol and how they get the pin, but they get it according to this article. (would it be possible to implement a SSL-like protocol to avoid this type of MitM attack?)
An old school version of this would be installing a camera in top of your ATM and recording your card data with the stripe, which as you say would be the stripe's fault, but here they get the information and the pin simply from the shimmer, which looking at the picture shows only a chip connector.
Then a fraudster can duplicate the card exactly, and use the duplicate with the same pin at a random ATM across the world.
I think this is why banks can block your card if you didn't warn them about going abroad, as they're unable to tell if this is your card or a replica of your card used by a fraudster.
In a proper EMV solution, hardware like this can not intercept the PIN code even if it can interpret any signal, as the unencrypted PIN is not sent anywhere beyond the keypad - even if you do MITM on the wires between the keypad and POS terminal, you would get only an encrypted version that then gets sent to the bank for online verification or to the chip for offline verification. You can get the PIN code by cameras or extra keypad on top of the real keypad, as sometimes is done for ATM skimming.
Furthermore, they can't get the card private keys in this manner, so they can't duplicate the card chip, only its magstripe; and they are definitely able to tell if a replica of your card is suddenly used in a magstripe-only mode. This means that it's a problem, as the parent post said, "only for countries like USA which have not completed the move from magnetic readers" because otherwise you can simply reject any transactions that might use a cloned magstripe.
Defcon 24 vid about skimming EMV cards at ATMs and withdrawing cash from the skimmed account at a different remote ATM (cashout): https://m.youtube.com/watch?v=FgIk_oIK2SM
That being said, this doesn't allow to duplicate a card (it relays the fraudulent transaction in real time to the real card while it's stuck into compromised hardware), the PIN is captured from video or the "la-cara"device, and you do need to have the "extracting" device mounted to a real ATM for prolonged periods until you can empty it (you can do it only as fast as the real transactions come in, and they do so at unpredictable intervals), which gives a nice opportunity to capture the involved people. It's a very powerful proof of concept, but harder to scale than the current "cashout crews"/mules - the logistic problems are somewhat comparable to the classic approach of setting up a completely fake ATM.
Not all terminals in the States support chip functionality, so for the time being chip & pin cards here still have normal mag strips and can be run as older, regular cards - the mag strips can still be read/stolen & used.
IMO it's super dumb that we're going through the whole business of replacing card readers to get chip support but NOT getting pin requirements. I've had a few CCs stolen from my mailbox (apartment with a large shared mailbox with simple padlocks). The new chip-only doesn't protect against this at all. MasterCard SecureCode was also a step in the right direction IMO, but the adoption rate seems very low. Basically, I want to require a second factor for every purchase. There's no way to do that right now with US cards that I know of. Debit cards can do it in person, but the fraud liability is different from CCs, and I don't get the fat 3% back or help my credit score. The best option online seems to be PayPal, which again loses the CC benefits. Thus, I just accept the inconvenience of getting my CC stolen a few times per year, since I'm not liable for the fraud, but it makes me cringe how this is currently the best solution available because of how messed up the incentives in the payment industry are here.
Given that the transition from magstripe to chip-and-sign hasn't been so smooth (confusion among customers and cashiers for a few months), I can see why we haven't moved towards it yet. Merchants would be more nervous about additional lost sales because of customers not knowing what to do or not being used to having to memorize PINs for their credit cards.
PINs really only just deter someone from physically stealing your card and then using it, so until card theft becomes a problem, I don't think we're going to be moving to chip-and-PIN any time soon.
(On the bright side, Android/Apple Pay are generally good enough to function as chip-and-pin: it's as secure as a chip card, and don't allow thieves to use your cards unless they're either sophisticated enough to get past the fingerprint sensor, or they know your passcode. It's just a bit awkward to set up.)
My current bank considers a purchase using a PIN to be sufficient for automatic instant activation of the card. I was surprised given my previous bank required a phone call to confirm my identity. I guess the policy varies from bank to bank.
And it's unlikely that this will change anytime soon due to the lack on incentives on all sides.
Funny as it may be my debit card for some reason has a $500 (unmodifiable) limit on chip&pin purchases, but it has no such limit for swipe purchases. When I asked them how is that more secure, I got a verbal shoulder shrug.
Banks are in the business of underwriting. I believe at least on the corporate level they probably don't like the idea of fully secure, verifiable payments, because that would mean you don't need them anymore.
Banks are also in a business of storing your money, transferring your money, and borrowing you money. Note that "storing" here is actually "letting the bank invest the money". I don't think any of these activities are undermined by completely verifiable purchase transactions.
Can you explain what you mean by "unmodifiable"? I have a limit, but on the banks app and website I can lower it (and I keep it very low) in the hope that any issues I have would be limited by this. Is this not actually worth doing?
That's true, but the shimmers in question clearly have smart card pins. What you're describing is the traditional skimmer; a shimmer is not merely a thinner skimmer.
These devices read the data between the chip and the terminal. This would be fine, if payment processing consistently used iCVV/EMV, but it turns out they don't.
I have not had the largest confidence in banks abilities to understand security. I've personally dealt with:
1) 'Two factor auth is on, you have to answer two security questions to access your account!'
2) 'Your password is limited to exactly 8 characters ... for security'
3) 'Oh, we now support SMS two factor auth' -- 4 months in, I've received 1 SMS challenge
4) 'You don't want a chip card, they are more hassle'
5) 'We allow systems like Mint to access your account when you have 2 factor auth on. No, you cannot opt out.'
Yeah, don't have the highest confidence that my bank(s) actually understand how to keep things safe.
Ugh! This is my pet peeve. My brokerage house will reset your password (which is fine) and convert your account back to single factor authentication (which is... WTF?!) if you answer the security questions over the phone. What was the point of getting that stupid fob when any idiot can bypass it if he knows my mother's maiden name?
> 'You don't want a chip card, they are more hassle'
I got exactly that line fairly recently. To be fair, it probably is much more of a hassle from what I've heard, so they're not wrong, exactly. It seems like the chip+pin rollout has been bungled pretty terribly.
This happened to me recently when my card data was stolen in a very respectable place where I've been a long time patron. It was totally unpleasant surprise. Right the next day the fraudulent transactions on my card started to popup all over the world - Beijing, North Carloina, etc. My bank promptly blocked the card - but I had to deal with the pain of calling in, going over my transactions list, verifying my identity and then waiting 2 weeks for a new card in the mail.
Future tip: If you really need the card (or even if you don't), you can usually get the replacement card overnighted to you if you're insistent on the phone, at least in my experience.
Lots of comments here about magstripes and the failure of the US banks to get rid of them. Funny thing about that is this is a Canadian article about this happening in Canada, and shimmers actually steal data off chips - not magstripes.
Why would they do this? The assumption is that the thieves plan to use the chip data to create fake magstripe card or make online purchases somewhere that the CVV is not checked. Not checking the CVV is a complete failure, and apparently for once it's not a US failure (unless the thieves are targeting tourists??).
The article is lite on specifics, but my Canadian chip card will normally reject stripe transactions in Canada (or it did the last time I saw a stripe machine, several years ago), but happily perform them when I cross into the US.
So one possibility is that they're stealing magstripe data off the chips for cloning and use in the US banking system.
> "Businesses really need to be checking for these kinds of devices and consumers need to be aware of them."
Disagree. Consumers and businesses (ultimately) pay the interchange fees, and this class of problem is the domain of payment infrastructure providers. I'm not interested in keeping vigilant against the latest exploit, and unless the responsibility for dealing with the problem lies with credit card networks and processing gateways they'll have no reason to stop rolling out crappy easily-owned payment tech.
So at some level there is an issue with the "inside" aspect of card readers. If you had four guide posts and you just pressed your card against the pogo pins would it make it harder to interpose?
Agreed, this type of device could be easy to detect with some simple upgrades to the card readers. However, the cost of upgrading card reader hardware at all vulnerable banks and retailers is unlikely to be small.
Many businesses in the USA have recently upgraded or will be soon... It would be a shame of they installed new terminals that were flawed from the start.
Can we not make certain parts of the ATM from a transparent material, like clear plastic? I'm thinking it would be more obvious when the keypad or card slot have been tampered with.
Probably not normal people using cards, but it wouldn't be hard to train cashiers/managers what to look for. However, this would probably just lead to shimmers made out of clear plastic
Thanks for this - I was wondering how they got the PIN considering plain text offline PIN has been deprecated for years. My understanding is that the liability shift is in effect for plaintext PINs, but maybe not in the NA/Canada region.
I haven't actually physically inserted my card into a machine for at least 2 years now. It's contactless everywhere. If the transaction is more than ~$50 it just asks for my pin and that's it. Maybe we should just introduce this everywhere and then see how criminals can possibly break it?
I'm assuming you're not in the US? I used to have contactless cards on all my accounts until they started rolling out chip cards, at which point they sent me replacements with chips but no contactless functionality. I've considered calling the issuers to see if they can still get me one, but I dread the thought of trying to explain the difference between a chip card and a contactless card - it was hard enough the first time before chip cards became a thing!
Contactless is even less secure than chip and pin. You can literally read card details out of someone's wallet without them having any way to tell. Even if someone uses a wallet that guards against this sort of attack, they're still vulnerable at the point of use.
That's RFID. Yeah, you can read that with a $5 reader off ebay.
I'm talking about Visa PayWave/Mastercard PayPass - both work through NFC and won't surrender any data to a normal reader, you need an authorized terminal that can give an authorization key valid for a given time. There were some attacks against it, but you can't just swipe a card through a wallet, it's extremely time sensitive and requires access to a valid terminal.
Usually, you would limit the contactless transactions and ask for a PIN for higher amounts. E.g. you could ride the subway trying to scan people's cards, but if you have the skills to do that, you'd probably be better off doing something else.
Keep on waiting. Every single transaction method has been broken. If not the method itself, the environment in which it has been used.
Your personal experience is not a valid scientific reasoning. If it was: "I have not used more than maestro cards and my 4-digit pin in 4 years. I did not have a single fraudulent transcation for 4 years now. [...] Maybe we should just use this everywhere!"
I would argue that numbers skimmed from retail stores are the stores responsibility. Even in a large store there's aren't that many POSs. They should have a procedure for checking the POS before close or on open.
I don't know the details, but there are probably many possible ways to get the PIN, since it's getting entered right then and there. Smartcard is a small computer, but the connection to it from terminal is probably not that secure and can be read somehow, side-channels or directly.
The card decides if the PIN is correct, but it might be possible to record all the PINs that were tried.
If the answer is yes, secret keys that never leave the chip are used to sign each transaction and the signature is verified by the bank, I'm not sure how these "shimmers" would be useful, since the secret key would presumably not be compromised and so the shimmer may obtain some data identifying the card and transaction but not the ability to sign new transactions. If the answer is no, none of this is happening, then I'm not sure what the point of the switch was in the first place.
Maybe the answer is something in between? Banks suck, so they've implemented chip cards in a half-assed way with gaping security holes?