Cambridge University finds credit card security flaw, uses the money for beer pong supplies (video)
By Joseph L. Flatley 
posted February 15th 2010 1:20PM
posted February 15th 2010 1:20PM
Oh, those crazy kids at Cambridge University -- when not doing keg stands or playing Hacky Sack in the quad they're hard at work proving the vulnerability of the EMV verification used in credit and debit cards (or as it's called across the pond, Chip and PIN). We won't go into too much detail (because we don't have much detail) but a flaw has been discovered that allows one to convince the terminal that a card's PIN has been entered -- and you know what that means: free money! All you really need to pull it off is a fake smart card connected to a card reader containing the stolen card and some fancy software. (Place the contraption inside a hat box or bowling ball bag if you want to be slick.) What could be simpler than that? "We think this is one of the biggest flaws that we've uncovered - that has ever been uncovered - against payment systems, and I've been in this business for 25 years," said Professor Ross Anderson from the school's Computer Laboratory. Sure, this is a proof-of-concept thing, and not yet a clear and present danger, but we have faith that the hackers will see this one through. Maybe we weren't crazy to bury all that gold in the backyard after all! British TV news (with the appropriate dramatic music) after the break.
Personally a little smitten because All Things Considered had this story about 2 weeks ago about how ancient the American credit card check out system is and how it was American arrogance preventing us from switching over.... and how safe the European model is, etc.
Kind of smitten.
You keep using that word. I do not think it means what you think it means.
I cannot agree more. We have no pins on credit cards in US and live just fine. Gas stations require your zip codes which are of course easy to guess with stone card+ID but don't suffer from this chi&pin issue.
@CtrlBurn I'm pretty sure I used it correctly. I was 'unreasonably pleased' with the news: unreasonable because you should never wish any financial problems or complications on anybody, but pleased none the less because of the snarky story about the American system that was on NPR a couple weeks ago.
@(Unverified) Yep, you definitely don't know what it means.
@(Unverified)
Smitten:
feeling or showing love and affection; "loving parents"; "loving glances"
marked by foolish or unreasoning fondness; "gaga over the rock group's new album"; "he was infatuated with her"
affected by something overwhelming; "conscience-smitten"; "awe-struck"
:)
@Mr Lizard "marked by foolish or unreasoning fondness"
"I am marked by unreasonable fondness because All things Considered..."
If you substitute the definition in place of the word "smitten" it makes perfect sense and says the same thing that I was saying. Perhaps I could have added, " I am marked by unreasonable fondness _for this news_" But it is sort of implied that you are talking about the .. news story .. when you reply to it.
@Jimbojones Erm, we live just fine too. You don't have Chip & Pin problems because you have none of the benefits. It's only slightly removed from saying we don't have any of the road accident problems because we don't have cars. Of course you don't, it hardly makes what you have better though.
@(Unverified)
Smitten is usually used to express feelings of fondness for another person - i.e. the feeling you get when you think about someone who makes you happy.
"I am marked by unreasonable fondness because All things Considered"
You have excessive tenderness or affection for this news????
Sorry for correcting you - Im British and proper - what do you expect ;)
@Sammy3
+1 Sammy, he claims that the definition provided makes perfect sense and means what he meant.. he still doesn't get it...
Are you really "Very fond by this news"?!
Lol... I haven't spoken to a single British person who has the faintest what beer pong is. Perhaps that's the humor in this?
@Alex
Had to search what it was in order to know what it is =/.. Having said that, drinking games differ in rules and title, and where i am we play a similar game but with a coin, bounce the coin into the cup (which isn't beer, its a mixed pint of what ever the players happen to be drinking)..
@ClarkyAC
Ah, at Uni we called that quarters.
http://en.wikipedia.org/wiki/Quarters
@Alex
Still slightly different to the one we at my uni (UK).. Still an easy way to get your alcohol levels up before hitting the town :D
@Alex yeah, Mr. Flatley appears to have confused Cambridge, England with Cambridge, Mass. Not only didn't we have "beer pong", we had no idea what "hacky sack" is. Oh, and we didn't have "quads", we had courts.
@czeese
definitely no quads, hackey sack or beer pong. I don't think engadget would have confused cambridge university, ranked second in the entire world with anywhere else, but whatever. I don't get it engadget.
@safe travels "second"?
People still play hackey sack? That was so 2004!
You guys should try tip the cup. Good times
@ashleythehottiest, still a very popular game at many universities.
Quarters, Kings (and all sub games of Kings), Beer Pong, Flip Cup.
Full list is on Wikipedia:
http://en.wikipedia.org/wiki/Category:Drinking_games
I have a solution, check if person who is using the card has wires all over himself...
These students would have nothing to do if we all just wrote our PIN numbers onto our credit-cards and just get it over with..
@Dking7
you mean like someone who is listening to an iPod... or zune.. or has a psp.. or any other portable device that would force you to have some cables with you.
@BrianH look at the cards, 1/10 of the card has a tape with wire out of it...gee.. I would notice that..
@Dking7: Because it is so hard to improve and conseal the wires.
What's sad is how old this type of attack:
http://www.dailymail.co.uk/news/article-520748/Criminals-easy-way-crack-chip-pin-security-bank-cards.html
http://www.telegraph.co.uk/news/2551522/Gangs-hiding-bank-card-readers-inside-shop-chip-and-pin-machines.html
@Fuzzball
I think both "methods" you have linked required an authenticate pin number.. With this new method it seems that you can input ANY pin and the transaction will continue.. Quite a big security flaw..
@ClarkyAC
Ahh yes, you are correct. Would help if I were paying more attention. Still, Chip and PIN has been pushed as fraud-proff to the consumer, but reality is it just places liability on the account/card holder. I really don't look forward to when the US get this pushed out en mass.
Didn't John Conner discover that like 15 years ago?
@czeese
definitely still no quads, hackey sack or beer pong here in 2010 either. I don't think engadget would have confused cambridge university, ranked second in the entire world with anywhere else, but whatever. I don't get it engadget.
Cambridge discovers hot water : "We think this is one of the biggest discovery that we've uncovered - that has ever been uncovered - and I've been in this business for 25 years," said Professor Tournesol
More seriously : is'nt the same flaw that the one discovered by http://fr.wikipedia.org/wiki/Serge_Humpich ? Also called yescard (because the card answer yes to the terminal wathever pin code is entered).
http://fr.wikipedia.org/wiki/YesCard
@ARKB
No, it's not the same as a yes card. The yes card attack only works for offline (ie, when the terminal trusts the card and doesn't communicate directly with the bank) authentication, not online (ie, when the terminal contacts the bank to validate the transaction) authentication. This attack works by letting the terminal believe that it's performing PIN authentictation, but telling the card that the terminal is requesting signature authentication. This results in the card generating a valid token, so it works even against online authentication.
@mjg59
wow ! So that's effectively a crazy amazing flaw ! Thanks for the details
I never use debit cards, but if I did, I'd enter a false PIN 1st (always) --- like I do at my ATM. Banking online also get bad password 1st.
@dblevins
explain this
@Brea If you enter a bad PIN/password, a "man-in-the-middle" as stupid as the one shown will give a "go-ahead" to complete the login. If that is what happens, you then know you'll be compromised and can abort the transaction. If you get a "reject", you can then enter the true PIN/password.
A smart man-in-the-middle will send the PIN/password on to the real server and ck for an "ok" or "bad" signal coming back. This takes much more programming and knowledge of how the compromised system works.
@Brea i'm sure u haven't used a debit card ever.
@thegreatskywalker srry, the post was directed to dblevins
@dblevins You get three shots at a wrong pin then you're locked out...
@Mr Lizard
3 in a row. k?
I want one of those.
$_$
They only have quads in Oxford. Cambridge has courts.
How much does a bloodhound cost a year?
So what they're saying is that if someone steals you card they can use it. What's the big shock in that ?
You don't need a PIN to use the stolen card for online purchases.
The solution, your card is stolen, call in and have it cancelled.
Couldn't they just fix this by starting to issue cards that refuse signature transactions? I've never done a signature transaction using the chip, signatures are only done with places that use the magnet stripe...
@kalleboo
Unfortunately, no, they couldn't. Chip cards in countries where EMV has been implemented must still retain magstrip and signature functionality because the international card schemes require them to do so for global interoperability reasons.
To those nay sayers about EMV and the percieved strengths of the US system. I would rather have a few outlying technical frauds like this take place than have tens of millions of dollars fraudulently withdrawn by criminals at ATMs, which is subsequently invested in organised crime, terrorism and people trafficking.
Anyone interested should look at the annual fraud publication from the UK Payments Association. It demonstrates that EMV has dramatically reduced fraud in the UK but, due to the retention of magstripe, has just shifted the spend of funds to other non-EMV countries. If the US and others deployed EMV, the magstripe could be removed from cards and counterfeit fraud will be greatly reduced.
The cambridge attack may be technically possible but the scale of loss will never reach the current levels where magstrips are skimmed at ATM, or compromised elsewhere, the data traded for a few cents, and then fraudsters thousands of miles away use the data to create a counterfeit and withdraw hard cash from an ATM.
But I may be wrong.
OK, let's estimate the actual risk.
1. Need a stolen card
2. Need a middle device and cables to be used
So if card is discontinued, it will not be authorized by the payment system. Necessity to have additional gear is also limiting the actual field risk.
It my understanding fake ATMs collecting pins and card data are still much more effective and dangerous then this issue.
The music is dramatic, true. The issue is not too much.