How Smartcard Payment Systems Fail
Переглядів 155,220
День томуBy Ross Anderson
"The USA is starting to introduce EMV, the Europay-Mastercard-Visa system for making payments using chip cards instead of the old mag strip variety. EMV is already in wide use in Europe, and has started to appear in countries from Canada to India.
In theory, smartcards should have reduced fraud by making bankcards much harder to copy and by enabling banks to authenticate users at the point of sale using PINs rather than signatures. The practice has been different. In Britain, for example, fraud first went up, then down, and is now headed upwards again. There have been many fascinating attacks, which I'll describe. The certification system wasn't fit for purpose, so terminals that were certified as tamper-resistant turned out not to be. We even saw Trojans inserted in the supply chain. A protocol flaw meant that a crook could use a stolen card without knowing the PIN; he could use a man-in-the-middle device to persuade the terminal that the card had accepted the PIN, while the card was told to do a signature-only transaction. Merchant refunds were not authenticated, so a crook could pretend to the bank that he was a merchant, and credit his card back after making a purchase.
The most recent series of attacks exploit the freshness mechanisms in the EMV protocol. To prevent transaction replay, the terminal generates an ""unpredictable number"" while the card supplies an ""application transaction counter"" or ATC that is supposed to increase monotonically and never repeat. Yet the unpredictable numbers often aren't (in many of the terminals we looked at, they seem to be just counters) while many banks don't bother to check the ATC, as writing code to deal with out-of-order offline transactions is too much bother. As a result, we've seen some interesting attacks where cardholders unlucky enough to shop at a dishonest merchant find themselves dunned for a lot of large transactions later. In fact these ""preplay"" attacks behave just like card cloning, and make all the fancy tamper-resistant electronics almost irrelevant.
At heart these are problems of governance and regulation. The vendors sell what they can get away with; the acquiring banks dump liability on merchants and card-issuing banks; they in turn dump it on the cardholder where they can; and the regulators just don't want to know as it's all too difficult. This wonderful system is now being rolled out at scale in the USA."
@mandisaplaylist 5 років тому
20:23 "If you let a couple of bright research students loose on a tamper proof terminal, it often doesn't stay tamper proof for very long" :D
@JasperJanssen 4 роки тому
It’s a specialized version of “the world will provide a bigger fool”.
@nicolek4076 6 років тому
How nice to see someone who is so confident of their credentials that he does not need to justify his presence at this conference for five minutes before he starts on the meat of his presentation!
@OsmoZchannel 5 років тому
"Ross Anderson of the House Cambridge, the First of His Name, The CC pwner, King of the Kernels, the Whitehat and the Blackhat, King of Cryptology, Lord of the Great Database, Protector of the Payment systems, Father of security."
@gordslater 5 років тому
The long periods of audience silence while he talks speak volumes. Scary stuff that affects almost all of us (except probably the audience, both there and viewing the vid later) Sadly, I doubt much has improved since this presentation :( One of the best ever presentations I've seen - very wideranging and going back many years of research.
@HappyfoxBiz 5 років тому
since this presentation Australian banks have been looking into confirmation calls for out of the ordinary transactions, for example I got a call when I purchased $1,000 worth of goods from an online merchant when I usually spend less than $30 per transactions at brick and mortar stores. they then get calls when their cards are used in physical locations overseas, they are also able to put limitations so that the cards can only be used in Australia and online, not through terminals internationally.... this is not fool proof, but it is a better start. They do however give calls when there are double transactions happening at the same time, for example, you pay for parking and a pizza at the exact same time
@Studio23Media 4 роки тому
Happy Fox In America, I've had my card info stolen 3 times since we switched to chip and pin cards. All 3 times I found out when my bank called me with fraud alerts. Whatever algorithms they use to detect fraud seem to work fairly well. I got the money back every time.
@shiva_upasaka 4 роки тому
@@OsmoZchannel that's awesome. Gave me a good laugh
@JeanQPublique 5 років тому
£5.00 for a bottle of water!?!? That's the real crime here.
@Androidonator 4 роки тому
Nestle water isnt a right.
@FreeStuffPlease 4 роки тому
Strip clubs make you buy a drink and even if you want water its 5$.
@LORD_DANZILA 4 роки тому
@mPky1 basically they sell tap water. If it's mineral.
@konatadesuka 4 роки тому
The minute they showed an Ingenico terminal, I couldn't help it but laugh. The ones used in Latin America are manufactured in Brazil by Jabil and the keypad tamper points are bridged with a solder ball at the factory because merchants usually bump them or they fall from the desk, activating the tamper alarm and rendering the terminal useless.
@Jmixup 4 роки тому
The officer who refused a $35,000 bribe is a credit to the human race. That's one hell of a number to turn down just for walking away.
@yangosakurai7505 2 роки тому
Yes sir. I'm not a fan of A LOT of stuff that goes on within law enforcement, but that makes me extremely grateful for the truly good officers out there. If they all operated like that I think we would be amazed by the impact it would have on society
@skavossis5377 4 роки тому
"Oh bad guys aren't smart enough" Oh the hubris of these companies never ceases to amaze.
@sandwich2473 11 місяців тому
I think that they know already though they think that we don't know they know :P
@GoldPhoto 5 років тому
Great talk! I love Dr. Anderson's work with computerphile, very well spoken. I think the only skill he needs to know is that when you talk at a hacker conference you need a pause after you say how you compromised something. It's not for pride you can tell the audience is just waiting to clap, they need it.
@Lectwar6 4 роки тому
"zipzap machines" thats one of the most british things ive ever heard.
@KermitFrazierdotcom 4 роки тому
Keaton Django ☆ You can rest assurred there is a huge warehouse near Amarillo with millions of these archived in case of Nuclear War.
@SkinnyCow. 3 роки тому
also known as "click clack" machines
@marcusbk7317 2 роки тому
Or knuckle-busters
@reubenmckay 5 років тому
Would be interesting to see an update on this now that the UK has rolled out contactless payments....
@Night_Hawk_475 4 роки тому
I had a bank chip&pin credit card which was used fraudulently. I had gotten the card when I set up my account, but had never once used it, when it was fraudulently used, I found the physical card still inside the manila envelope the bank gave it to me in, I'd forgotten it's existence, and certainly never wrote down or gave out the card number much less it's other details (never stored/entered on my computer). I can only assume that Bank of America lost sensitive data and never properly disclosed it (and maybe were never even aware of it), as I cannot fathom how else someone got my card details.
@mandisaplaylist 5 років тому
32:33 This is soooooo true. I remember here in Europe they tried to push some major upgrade to the transparency of financial data handling with a 1-year deadline but they had to retract the thing because "the systems where this data are held are so old that nobody can actually make such a massive change in such a short time". And, there are numerous articles on web covering the fact that many banks run their account and transaction handling on computer technology from times when "finding a bug" meant "crawl into the computer to find and dislodge an actual insect from its circuitry" instead of "find an error in the program running on it" ...
@deadleaves1985 4 роки тому
COBOL is still a thing in banking, you can earn tons of money just by virtue of being old and having lots of experience with it by working in bank and supporting these massive legacy systems. Eventually of course it will be rewritten in some less old tech (Java I guess? Bankers love java) which will no doubt result in new wave of exploits and fkups
@Noir87 4 роки тому
I presume you're talking about psd2?
@dnb5661 Рік тому
@@deadleaves1985Java sucks, but COBOL is worse. Like, anything seems better than COBOL at this point.
@SteveRichfield 4 роки тому
Nearly all of these attacks depend on terminal electronics NOT having been filled with epoxy. All existing terminals should be either filled with epoxy, or destroyed and replaced with new terminals that have been filled with epoxy. Of course, adding some glass fibers to the epoxy would help further deter attacks on the epoxy.
@Vic-xg2kc 4 роки тому
Yes Photonic Pizza I know But when the banking system treats it's clients with utter contempt then I'd prefer my money in a tangible form and out of their hands and I'd suggest everyone did the same.
@kevinowenburress2435 6 років тому
Right. I'll have to think about this sometime. I think that the Orwell computer is interesting apart from the wireless firmware (bt wifi) and software risk.
@josephwaldman9527 5 років тому
Ooo 9 9 8920T 9
@77gravity 5 років тому
October 2018, Australia, we have had chip and pin for some years now, and it is much safer than signatures. Now we also have PayWave, so they have removed PIN for small charges, which is a complete LOSS of security.
@snakeman2506 5 років тому
yep those things are more insecure than using the commonwealth banks accountants. having to save 10 seconds>having hours of work stolen.
@Elite7555 4 роки тому
What is a "small" charge? And is it really profitable to steal debit cards so you can make small transactions?
@framegrace1 4 роки тому
No Pin transactions are SAFER. Bank is liable in that case, and there's less attack surface for pin harvesters like the ones explained here, mostly on small retail shops where those devices can be planted easier. No Pin transactios are, in fact, a response of all those studies.
@stephenisheta8457 2 роки тому
I've noticed that this PIN removal phenomenon a symptom of asian transactional systems. It's a clear indication of china's indiscriminate attack on the free nations of the world
@harrickvharrick3957 4 роки тому
I am in Europe, and I could t tell if what I am going to say applies in for instance the US.. The other day my bank card most likely slipped out of my wallet when I entered the automated gates of public transport at some station. I then remembered it probably was possible to put an app from my bank on my smartphone so that I still could at least do payments. I downloaded and installed it (with help from the special little apparatus European banks give their customers to electronically sign online transactions and so forth with a unique, personalised number it will generate). The smartphone makes contact with the shopkeeper's payment terminal via NFC (near field communication, a very shortrange wireless connection, it uses the same technique that also is built-in in bank cards nowadays). Up to a preset maximum (total of transactions) no PIN is requires, but above that amount you will have to give in your PIN... by typing it ON THE SMARTPHONES SCREEN, NOT on the terminal! This way transactions again are much safer, there probably is no numerical information transmitted that could be copied and reused by scammers at all, and there is no longer any vulnerability of the PIN code (which is ia different one from the one that you-d use for your bank card).
@klausstock8020 4 роки тому
Technically, this assumes that your smartphone is a "secure signature generation unit". But you load all kinds of software on your phone, including these harmless-looking "get-lots-of-gold-for-your-smurf-village-for-free" apps (which are usually malicious). Well, some baking/payment apps check at least that the phone isn't rooted. In contrast, all these terminals are considered "secure" because they consist of a very specific hardware and software (which has probably been even "certified"), so they are guaranteed to be safe. Even if proven otherwise! Because they are certified!! However, what happens if you have to pay in a shop? Do you actually verify that the terminal is actually really a certified and approved terminal and not some 3D-printed fake terminal? Heck, consider some fake terminal on the counter which swallows your card, scans it optically, prints out a visually identical copy, asks for your PIN (and records your input), says something like, "Uh, sorry, transaction not possible" and returns the copy of your card. Not the scammer has your original card and your PIN, you have a nice looking non-functional copy (well, perhaps not so nice looking if the original had a hologram, but, honestly, I never check whether the hologram is still on my card when it comes back out of a terminal or an ATM). Yes, card printers are expensive. Like $1000. How long will it take the scammer to break even? One obvious solution would be to have smartcards with a built-in keyboard (possibly a thin metal dome one, half a millimeter high). Unfortunately, the wear on metal dome switches might be noticeable, so the digits of which a pin consists might become obvious. Quality metal dome switches are also quite expensive. Well, sort of. But with billions of smartcards in circulation, increasing the price by $0.10 might possibly be far more expensive than the occasional fraud. So, yes, while technically not certified by some authority to be secure, your smartphone is probably still more trustworthy than any ATM or terminal.
@ryanbmx5 4 роки тому
If I understand this correctly - by using the chip everywhere, that leaves these wide open to skimmers? Sounds easy enough for the common criminal. Sure a shady merchant could make a fake or modded terminal, but that's a lot of effort for a petty criminal. I've seen some surveillance videos of people in gas stations asking for a pack of cigarettes and installing a skimmer while the clerk turns around to get them. People can be crazy fast with these things!
@learnyee 4 роки тому
credit card data got stolen easily when the user is not being aware of what is happening, e.g. the merchant after transacted your card on the credit card POS, they are supposed to return it to you, instead of swipe it on their own POS (that point of sales), this happened a lot when the customer is not aware, and by doing that, they would basically get the PAN, name, and expire date, and by flipping over the card, they can just note down the ccv. And if they collaborating with any of those syndicate, they can just transact with those acquired detail.
@sbalogh53 6 років тому
In Australia we now have "touch" terminals where for transactions less than $100 you just wave your card near the terminal and the transaction is approved. No PIN required. I am sure this could be a problem.
@oskari61 6 років тому
The Mr Robot card reader thingie is real, there is a DEFCON talk by the guys who did it about physical pentesting. I have no idea who it was, sorry. Funny thing, we (wherever i am) have a limit of 25€ for those "touch" payments (500$ - 700$ in Merican or Aussie funnymoney). Most people dont trust them or the mobile pay system (same thing but with your smartphone). I got a new card a few months after the system got online and immediately disabled the touchpayment. The two account system that someone else posted is also a great idea and i've used it before anyone here ! And when it comes popular i will transfer all my moneys to Bitcoin.
@fruitcake7789 5 років тому
This is NFC based.
@solhsa 5 років тому
AFAIR someone found a vulnerability with that where you could get around that fund limit by using some different currency. The card didn't know currency conversion, so it approved everything.
@timballam3675 5 років тому
RE touch payments, Transport for London had a problem where their card (oyster) and people's touch cards were all getting charged when a wallet containing multiple cards was touched on the terminal.
@Gunth0r 5 років тому
Same thing got implemented in belgium, but for a €20 limit per transaction and I assume some multiple of that limit per hour (€100 / €200?). The NFC tech will pave the way for biometric / implant payment systems. It's already happening with cryptocurrencies.
@douro20 6 років тому
2018 and it's still not any better.
@synterlu 5 років тому
He showed the front and back of his credit card at the beginning, I wonder if someone got the data?
@capability-snob 6 років тому
EMV nothing; online we still pay by handing out the same 16+3 digit capability with no way to verify the amount we are authorising to be removed.
@TheTigero 5 років тому
16 (PAN ) + 3 (CVV) + 4 (EXP), if we're being precise...
@xm210c 5 років тому
That's why for online purchases you use a prepaid card like Revolut. They can charge me a thousand times if they want, they can only take what's on the card.
@Gameboygenius 5 років тому
@@TheTigero is the exact expiry date actually used for verification?
@TheTigero 5 років тому
@@Gameboygeniusdepends how the payment is processed, but the CVV changes when the EXP changes, so... Kinda
@Gameboygenius 5 років тому
Kevin Klika Ok, to ask a simpler question. If I input one digit wrong on the expiry date (while still being not expired of course) will the payment be declined because of that?
@Philbertsroom 4 роки тому
Any links to the Khan case July 2008?
@Paul-gz5dp 4 роки тому
I had multiple transactions show up from a store in Dubai on a card that I almost never used that was never out of my possession. The only country I have been to other than USA is Mexico, and thankfully I was able to get my stolen money back. Fraud is real and it is not difficult for people to pull this off or anything else when people are able to teal info from the clearinghouse and other locations.
@learnyee 4 роки тому
likely an insider work or a data leaked and your information was stolen, seriously
@Paul-gz5dp 4 роки тому
@@learnyee That shows how insecure the whole system is.
@klausstock8020 4 роки тому
Mexico. The ćountry where every other ATM is a fake machine which just records the data from your card and the PIN enter. Some of these fraudulent ATMs can be recognized by having Bluetooth turned on (the scammer typically reads out the collected data via Bluetooth).
@Paul-gz5dp 4 роки тому
@@klausstock8020 I figured as such so I have never used one in Mexico. However HSBC has been caught laundering illegal transactions.
@roblet5047 4 роки тому
26.16 stopped talking for a stomach rumble.
@Mackcard24 3 роки тому
Thanks to everyone who posted * Carderplug4* on telegram, just received my product from him thanks man
@Graza25 4 роки тому
Its Naive to think the "Badies" are unable to engineer these attacks.. Remember, there are extremely smart Electronic Engineers, Computer Scientists who are "Badies" too which carry out and build these devices.
@woobilicious. 4 роки тому
Anyone find information on the "Khan brothers"? I can't find any.
@mr_b_hhc 4 роки тому
"... and that should teach us all quite a lot" - maybe, maybe not.
@mrlucasftw42 5 років тому
It doesn't make sense that the chip verifies the pin - how could one change their pin at a bank then? The hashed one way crypto PIN would certainly have to get verified by the network
@robhulluk 5 років тому
You usually change your pin by putting your card in an ATM. So the pin can then be stored in the card. The pin needs to be stored in the card for when it is used offline.
@boboo754 4 роки тому
Rob is right, to add to that an ATM is able to provide adaptions to the phyical rf chip where as when a pin is changed remotely and a card is used at an offline terminal, the old pin is still valid, but when used at an online terminal the pin must be the new one and the card is changed to 'always verify online' until used at an ATM
@zzanzare 5 років тому
here we are, 4 years later, and USA is stil paying with magnetic stripes
@Davvg 5 років тому
zzanzare I don’t know where you’re at, but where I am at they only issue cards with a strip + chip; whenever I have to swipe instead of use a chip it’s because the retailers haven’t upgraded their equipment or PoS software. Which is upsettingly common actually.
@garret1930 4 роки тому
"Tap" payments became standard in Ontario almost 2 years ago now. Thieves don't even need to take anything from you now, all they have to do is stand in your general viscinity.
@shustyrackleford_710 4 роки тому
@@Davvg the cc machine at my work regularly decides chip doesnt work so i swipe probably 1/3 of our transactions ($2000 + on my shift alone)
@chad_bro_chill 4 роки тому
@Dawg, you used "upsettingly" wrong, since the chip method takes longer and is a much bigger hassle than just swiping the damn thing.
@coprice94 4 роки тому
@@garret1930 unless we go back to 1920 we cant stop black hat hackers
@ShroudedWolf51 5 років тому
United States, better consumer protections...well, that's optimistic.
@nicolek4076 4 роки тому
The person doing the introduction missed a point. Ross Anderson is not "a" professor. He is The Professor of Security Systems. In the UK a professorship is a very senior academic position indeed, unlike the USA where any person who teaches could be called a professor. If you meet a UK Professor, be honoured.
@Nathan-un6rb 4 роки тому
Only people with a PhD are professors in the US. If you don't have a PhD, you're just a teacher
@powerjbn9283 5 років тому
s/malicious/wicked
@chrismaupin 4 роки тому
EUR 33 for a drink?! This guy got robbed twice.
@jfwfreo Рік тому
The US made things worse by going with "chip and sign" instead of "chip and pin" (mostly because the credit card companies are scared of anything that might cause even a single transaction that would have been done with a card to be done with some other payment method instead)
@amexleder7312 3 роки тому
is very easy there are many way to atack the emv chipcard
@BobWidlefish 4 роки тому
9:00 keyp
@Norman_Fleming 5 років тому
The sound is not working, is that by design?
@dre04mach 4 роки тому
How much longer till we move to 2FA like everything else? I can't wait to kill all of those google.com $1 charges and refunds... lol.
@ramiroaka9 5 місяців тому
Simple cash is still better , but what about sim cards?
@jearl961 4 роки тому
6:45, card machine's doesn't encrypt transaction details?! Fucking disgusting.
@jemalguillory 4 роки тому
This shit still works at Costco gas pump.
@Netplusdumps 2 роки тому
To👆people who know👆the meaning of efficiency. I would like to compliment you for the support you render and have been impressed with such an excellent quality you delivered bruh✅
@highlandrab19 5 місяців тому
Typical the same certain groups doing all the crime.
@walterwojcik5090 3 роки тому
thumbs down for youtube suggesting me 5 year old stuff but denying me working methods if i look for them ... screw youtube, whatsapp, facebook and all the other stuff skynet a.k.a google has their fingers in
@maxwell3002 2 роки тому
Your selfness🔝🔝🔝🔝🔝🔝 deed are highly appreciated, I'll forever you sir for the success and delivery 💳🚚
@Gfreezr 3 роки тому
just x ray it!
@wazza33racer 4 роки тому
Beggars belief that Banks could be so stupid....................no not really.
@Kyusoath 4 роки тому
he acts like the banks are the good guys.
@ligeskityler 4 роки тому
Just a word of advice for the black hats. It’s best to keep these kind of things quite so no one knows. Just a thought.
@mikkenieminen9603 4 роки тому
Modern shit tech like most. Built to be insecure by design.
@shustyrackleford_710 4 роки тому
Listen up sheeple, theres NOTHING to worry about here okaaayyy? This tech is gonna make your life easier just dont worry bout it Go to work pay them taxes, keep that electronic bank account full and everything will be fine eh?
@giannagonzalez4707 3 роки тому
The second hydrofoil particularly borrow because observation virtually box to a lonely timbale. dangerous, thin perch
@Netplusdumps 2 роки тому
To👆people who know👆the meaning of efficiency. I would like to compliment you for the support you render and have been impressed with such an excellent quality you delivered bruh✅
Black Hat
Переглядів 465 тис.
Politeka Online
Переглядів 671 тис.
5 канал
Переглядів 874 тис.
Осторожно: Собчак
Переглядів 8 млн
The Modern Rogue
Переглядів 1,1 млн
Wolfram
Переглядів 338 тис.
OWASP Foundation
Переглядів 1,6 млн
DEFCONConference
Переглядів 307 тис.