Comments on: Chip-And-PIN Hack Is So Scary Because It Surprised No One http://storefrontbacktalk.com/securityfraud/chip-and-pin-hack-is-so-scary-because-it-surprised-no-one/ Techniques, Tools and Tirades about Retail Technology and E-Commerce Sun, 20 May 2012 01:49:40 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Howard http://storefrontbacktalk.com/securityfraud/chip-and-pin-hack-is-so-scary-because-it-surprised-no-one/comment-page-1/#comment-67279 Howard Tue, 23 Feb 2010 16:59:24 +0000 http://www.storefrontbacktalk.com/?p=4818#comment-67279 This hack has been available for over 8 years now. I doubt this should be a surprise to anyone. This hack has been available for over 8 years now. I doubt this should be a surprise to anyone.

]]> By: Steve Sommers http://storefrontbacktalk.com/securityfraud/chip-and-pin-hack-is-so-scary-because-it-surprised-no-one/comment-page-1/#comment-67278 Steve Sommers Tue, 23 Feb 2010 16:50:35 +0000 http://www.storefrontbacktalk.com/?p=4818#comment-67278 Was it undiscovered? And are we sure there are variations already in the wild? There have been many customer complaints of fraudulent activity with EMV and most were simply swept under the carpet and attributed to a failure of the cardholder without much investigation. Recently the EU shifted some of the burden of proof back to the banks and this was done prior to this Cambridge report. If the system is so secure, why the shift? Was it undiscovered? And are we sure there are variations already in the wild? There have been many customer complaints of fraudulent activity with EMV and most were simply swept under the carpet and attributed to a failure of the cardholder without much investigation. Recently the EU shifted some of the burden of proof back to the banks and this was done prior to this Cambridge report. If the system is so secure, why the shift?

]]> By: David Dorf http://storefrontbacktalk.com/securityfraud/chip-and-pin-hack-is-so-scary-because-it-surprised-no-one/comment-page-1/#comment-67249 David Dorf Tue, 23 Feb 2010 03:12:50 +0000 http://www.storefrontbacktalk.com/?p=4818#comment-67249 Long ago I used to write code for smart card terminals, including those that accepted EMV cards. Even with the imperfections, the chip-based systems are much more secure than mag-stripe. The fact that this particular hole went undiscovered for at least six years is actually pretty impressive. Although I don't know the specifics, I'm willing to bet this particular issue can be resolved in the terminal code without having to reissue all the cards. This is a great example of the importance of ethical hacking. Hats off to the Cambridge team. Long ago I used to write code for smart card terminals, including those that accepted EMV cards. Even with the imperfections, the chip-based systems are much more secure than mag-stripe. The fact that this particular hole went undiscovered for at least six years is actually pretty impressive. Although I don’t know the specifics, I’m willing to bet this particular issue can be resolved in the terminal code without having to reissue all the cards.

This is a great example of the importance of ethical hacking. Hats off to the Cambridge team.

]]> By: A reader http://storefrontbacktalk.com/securityfraud/chip-and-pin-hack-is-so-scary-because-it-surprised-no-one/comment-page-1/#comment-67016 A reader Fri, 19 Feb 2010 02:40:29 +0000 http://www.storefrontbacktalk.com/?p=4818#comment-67016 Mr. Bittner, How do you equate the failure of a developed-in-secret, 14-year-old cryptographic protocol with the adoption of object oriented programming, the recognition of design patterns, or the maturity of software engineering as a discipline? You are comparing oranges to a philosopher's left elbow -- the argument doesn't even parse. There were no software failures here, no code crashes being exploited nor buffer overrun attacks smashing stacks. This was a failure in the design and creation of a *protocol* that fell prey to being spoofed. No objects failed, because no objects were transmitted. This is 100% protocol design failure; and it can be blamed on the secretive nature of the original design process and the immature cryptographic skills of the original protocol designers. (Here's a hint for all you budding cryptographers: the best cryptographers know they aren't good enough by themselves. They always seek outside validation of their designs. Always.) The chips inside the smart cards don't even have the memory or the horsepower to support object oriented programming techniques. There aren't dynamic memory allocations. These are tiny 8-bit chips with about 1K of RAM, and the applications hand coded in assembler (or possibly C.) I'm sorry if you are uncomfortable with modern design techniques, object oriented languages, test-driven development, design patterns, or if you think programming should still be functional now because it was functional back when you first learned it. If you are interested in that kind of bare-metal programming, might I suggest embedded systems design? It's all about writing code for these tiny standalone processors, where every byte still matters and every cycle still counts. You even get style points for writing in assembler. :-) Mr. Bittner,

How do you equate the failure of a developed-in-secret, 14-year-old cryptographic protocol with the adoption of object oriented programming, the recognition of design patterns, or the maturity of software engineering as a discipline? You are comparing oranges to a philosopher’s left elbow — the argument doesn’t even parse.

There were no software failures here, no code crashes being exploited nor buffer overrun attacks smashing stacks. This was a failure in the design and creation of a *protocol* that fell prey to being spoofed. No objects failed, because no objects were transmitted. This is 100% protocol design failure; and it can be blamed on the secretive nature of the original design process and the immature cryptographic skills of the original protocol designers. (Here’s a hint for all you budding cryptographers: the best cryptographers know they aren’t good enough by themselves. They always seek outside validation of their designs. Always.)

The chips inside the smart cards don’t even have the memory or the horsepower to support object oriented programming techniques. There aren’t dynamic memory allocations. These are tiny 8-bit chips with about 1K of RAM, and the applications hand coded in assembler (or possibly C.)

I’m sorry if you are uncomfortable with modern design techniques, object oriented languages, test-driven development, design patterns, or if you think programming should still be functional now because it was functional back when you first learned it. If you are interested in that kind of bare-metal programming, might I suggest embedded systems design? It’s all about writing code for these tiny standalone processors, where every byte still matters and every cycle still counts. You even get style points for writing in assembler. :-)

]]> By: R Dallaire http://storefrontbacktalk.com/securityfraud/chip-and-pin-hack-is-so-scary-because-it-surprised-no-one/comment-page-1/#comment-66931 R Dallaire Thu, 18 Feb 2010 16:15:11 +0000 http://www.storefrontbacktalk.com/?p=4818#comment-66931 Sure, you may hide all the cables but the setup will be obvious if you are wearing a T-Shirt. ;) EMV has to fix this. I don't know if the same issue has been raised in Canada. Sure, you may hide all the cables but the setup will be obvious if you are wearing a T-Shirt. ;)

EMV has to fix this. I don’t know if the same issue has been raised in Canada.

]]> By: R Dallaire http://storefrontbacktalk.com/securityfraud/chip-and-pin-hack-is-so-scary-because-it-surprised-no-one/comment-page-1/#comment-66926 R Dallaire Thu, 18 Feb 2010 16:08:02 +0000 http://www.storefrontbacktalk.com/?p=4818#comment-66926 I worked on EMV project in Canada. EMV is better than plain MSR card. No doubt. This is not marketing "gimmick". The Cambridge/BBC video shows a guy using a Netbook PC and an EMV "test card" hooked on a stolen EMV card. Sure, you may hide all the cables I worked on EMV project in Canada. EMV is better than plain MSR card. No doubt. This is not marketing “gimmick”.

The Cambridge/BBC video shows a guy using a Netbook PC and an EMV “test card” hooked on a stolen EMV card. Sure, you may hide all the cables

]]> By: bill bittner http://storefrontbacktalk.com/securityfraud/chip-and-pin-hack-is-so-scary-because-it-surprised-no-one/comment-page-1/#comment-66889 bill bittner Thu, 18 Feb 2010 14:11:44 +0000 http://www.storefrontbacktalk.com/?p=4818#comment-66889 This hack demonstrates a much larger vulnerability that goes way beyond payment authorization. As software design has moved to “object oriented” designs that encapsulate data and processes along with the whole concept of “stateless objects” the “man in the middle” or wedge attack becomes much easier. This could really happen in any situation. Just as we are hearing more about cyber attacks from overseas, we are using software design techniques that make our systems more vulnerable. Better get a kerosene lamp. This hack demonstrates a much larger vulnerability that goes way beyond payment authorization. As software design has moved to “object oriented” designs that encapsulate data and processes along with the whole concept of “stateless objects” the “man in the middle” or wedge attack becomes much easier. This could really happen in any situation. Just as we are hearing more about cyber attacks from overseas, we are using software design techniques that make our systems more vulnerable. Better get a kerosene lamp.

]]>