Punctured PIN

Researchers at the University of Cambridge in the U.K. have chipped away at the security for chip-and-PIN cards.

The new technique allows someone to initiate transactions using a card that complies with an EMV Integrated Circuit Card Specifications card without using the card's PIN.

The EMV standard is used widely outside the United States and requires people to enter a PIN when making purchases at the point of sale, according to an article PC World ran Friday.

The researchers' attack method requires some tech savvy and some added hardware to trick a payment terminal into approving transactions with a bogus PIN, the article said. In a demonstration, one of the researchers had the extra hardware hidden in a backpack and connected to a dummy card, which in turn was physically wired to the "stolen" card being tested.

Though the terminal still prompts for a PIN code, the card itself is fooled into handling the payment as a signature transaction and will no longer evaluate the PIN; the researchers could enter anything into the PIN-pad. The article said that the banking industry was informed two months ago of the flaw.

In their paper on the topic, the researchers argued that it is important to publicize this flaw because it demonstrates that fraud is possible even when a PIN is entered.

"Frequently, banks deny such fraud victims a refund, asserting that a card cannot be used without the correct PIN, and concluding that the customer must be grossly negligent or lying," the paper said. "Our attack can explain a number of these cases."

A spokeswoman for the trade group U.K. Payments said in the article that although chip-and-PIN authentication is not infallible, the hardware needed for this technique "is not really plausible in a day-to-day environment. They've created a convoluted way of committing this fraud."

On the Attack

The ubiquitous Trojan called Zeus may have a godly name, but a new rival has proven it to be merely mortal.

The Spy Eye bug has a feature called "kill Zeus" that removes the Zeus program from infected machines. However, Spy Eye's motives are not benevolent; it only removes the Zeus bug so that it does not have to share any banking credentials it finds on infected machines, according to an article Computerworld ran last week.

Spy Eye, which emerged in December, can also intercept data that Zeus has already compromised as it is transmitted to the hacker that controlled the Zeus infection. Other programs have been developed to rival Zeus, but Spy Eye is far and away the most aggressive, the article aid.

It is also cheaper. Spy Eye sells for $500 on the black market, one fifth what Zeus commands.

Despite the power Spy Eye has over its rival, it does not have nearly the same reach, the article said. Security researchers have observed it on very few machines and do not yet consider it to be a broad threat, the article said.


An unhappy customer is claiming that a bank's strong authentication techniques actually made it more likely to fall for a phishing scheme.

Experi-Metal Inc. of Sterling Heights, Mich., is suing the Dallas banking company Comerica Inc. over security practices that it said made it easy for fraudsters to steal more than half a million dollars from the metal supply company's account last year, Brian Krebs reported on his "Krebs on Security" blog last week.

According to the lawsuit, for many years Comerica required its customers to use "digital certificates" to authenticate their browsers. Without this added bit of cryptography, the bank would reject any computer that attempted to use its online banking service.

From 2000 to 2008, Comerica sent out annual e-mails asking clients to renew their certificates by clicking a link in an e-mail. "The trouble with relying on digital certs," Krebs wrote, "is that phishers have been using the e-mail ruse of 'Hey, this is your bank, please update your digital certificate' for several years."

Clients who click the link in the scammers' version can be infected with a virus or duped into revealing their login credentials, he wrote.

"Perhaps in response to these fraud trends," Krebs wrote, Comerica changed its system in 2008 to require the use of a passcode-generating token.

These tokens generate a series of digits that the online banking site requires for login, supposedly preventing someone who has stolen a customer's username and password from accessing the account without access to the physical token.

Krebs wrote that this was little improvement. "Tokens work great provided the phishers don't ask for the token code as well," he wrote. EMI argued in its lawsuit that the switch to tokens was actually a downgrade in security, as this weakness was already well known by the time Comerica started using them.

But EMI was still accustomed to the earlier system, it argued, so on Jan. 22, 2009, when a phisher's e-mail instructed an employee to log in to a spoof site, the employee complied — and provided the security code generated by the token.

Once in, the scammers initiated 47 wire transfers totaling more than $560,000.

EMI said that in the prior two years it had made only two wire transfers.

Comerica wrote in its response to the court that "any reasonably alert" person trusted with financial credentials would not have been fooled by the scam site, and that when it switched to tokens, there was not "any expert consensus that token technology should not be used as a component in authentication purposes in online banking transactions."

Exposure

The Social Security numbers of almost 50,000 California residents were mistakenly exposed by the state's health officials, the Los Angeles Times reported last week.

The numbers were printed on envelopes mailed Feb. 1 to patients of the Adult Day Health Care Program, the Times reported. The Social Security numbers were mistakenly included in a list of addresses sent to the contractor that handled the mailing.

The envelopes contained change-of-benefit notices, the article said.

The state has sent letters asking patients to destroy the earlier envelopes and contact credit reporting agencies.

 

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas and suggestions about this column.