Chip And Pin Broken And Other Security Threats

Another exploit has been found in the Chip and PIN system.  The exploit is a man-in-the middle attack that wouldn’t take too much know-how to pull off. You can watch the BBC report on the issue or check out the paper (PDF) published by the team that found the vulnerability. A stolen card resides in a reader that connects to a dummy card via a small cable. When the dummy card is inserted into a card reader, any PIN can be used to complete the transaction. The chip on the original card gets confirmation that the sale was completed via signature and the vendor’s card reader gets confirmation that the pin was correct. The UK based Chip and PIN system seems like a great idea, but it has had its share of security loopholes. This makes us wonder how hard it is to roll out security patches to the hardware readers in the system.  Obviously this needs to be patch but does it take a technician visiting each terminal to flash an upgrade?

Switching to the topic of wide-scale attacks, we caught the NPR interview with [James Lewis] on Wednesday when they discussed the growing threat of Cyberterroism. He feels an attack on the US electrical grid is currently the biggest threat and will happen in the next ten years. Obviously taking the grid down would endanger lives and bring things to a standstill; traffic lights, refrigeration, heat, etc. We’re just glad that when asked if he thinks there is already malicious code residing in the control system, he doesn’t think that’s the case.

[Thanks to Whatsisface and Mcinnes]

22 thoughts on “Chip And Pin Broken And Other Security Threats

  1. I disagree about electrical grid disruption being a major disaster. Two winters ago (’06-’07), my city and the surrounding area (SW MO) was hit by a huge ice storm. The ice and falling trees were bringing down power lines all over the place. Half the city didn’t have power for close to a week (my house was out for /over/ a week) and there were (to my knowledge) no “extra” fatalities caused by it. Traffic was practically unchanged (except there was less of it due to a lot of businesses being closed). Keep in mind: this was during the coldest part of winter.

    At worst, it would be a major inconvenience (and I’m sure the already struggling economy would take a hit) but it wouldn’t be the end of the world. Just look at how people rallied together after 9/11. It might even make the country stronger…

  2. Its Terrorism, plus aren’t you supposed to use a hyphen? Cyber-Terrorism…otherwise use Cyberorism???

    Plus talk about sitting on the fence. I reckon that I will be in a car accident in the next 10 years.

    I also have to really question what models these predicted events are based on? I know Warcraft players may go into withdrawel being unplugged for a few hours while some critical systems get restarted…or my beer goes warm, but we coped pretty well with the heavy snowfall and limited supplies of salt for the roads in the UK…but hardly end of days anarchy.

  3. lol @mungewell. that was great XD
    @amos
    i agree, the loss of electricity would be a huge pain in the arse, but nothing catastrophic. im interested as to how they would bring down an entire nation’s electrical grid at once…seems a little far fetched to me.

  4. Loss of electricity only affects those too cheap to own a backup.

    I picked up a used 2500 watt generator for $199 at a garage sale. IT can run most of my house, certainly keeps the net up, the house warm, and the fridge cold.

    I typically turn on all the outside lights as well just to rub it in my neighbors face.

  5. @fartface
    “too cheap to own a backup”

    Wow, way to pass judgement.
    What about people in areas where the power almost *never* goes out? There are lots of places in the country where power outages just aren’t an issue, and storing and running a generator just don’t make sense for those people, especially since your $200 generator is not the norm – if everyone bought one, most people would have to buy new – $1k or so.

    I live in silicon valley and the power just *never* goes out. Last week it was out at work for the first time in 3 years or so, due to someone running into a power pole.

    45 minutes away in the mountains, where my parents live, it happens all the time and they own a generator, but here it just doesn’t make sense.

    If all of silicon valley lost power though, it would be a serious problem after not too long.

    It has nothing to do with people being too “cheap”, it just doesn’t make sense for plenty of people, and that’s why on the rare chance our whole power grid went down, it could in fact be a big problem.

    It would certainly hurt us economically, and that’s all terrorists really want anyway, as it weakens us.
    -Taylor

  6. I think our (almost) total reliance on the “old” electric grid is unfortunate and a valid cause for concern. The idea of a distributed “smart-grid” which can utilize power generated from a variety of sources is intriguing.

    The use of renewable energies like grid-tied photovoltaic systems on homes and businesses could help provide a more reliable and secure electricity infrastructure. Mainly due to the distributed, “point-of-use” production in such a system.

    Plus, if the grid were to somehow fail, many people would still have access to the electricity from their own photovoltaic systems (and presumably, large battery-backup systems). Oh, and they’d be environmentally-friendly as well. Too bad it makes too much sense to actually implement =]

  7. The chicken hawks are at it again. NO where do
    we hear HOW ‘the power grid’ will be taken down
    by ‘cyber-terrorists’. Just blame it on those
    nefarious evil hackers. Heck, maybe those pals
    of Agent Mulder (i forget their names) decided
    to join the dark side. Hell they were always
    hacking into “government satellites” – if they
    can defeat a KG-84 (and upstage the Russians who
    have been trying to ‘hack’ into our military
    birds for decades -they must be 3l33t!).

    The only possible vulnerability (aside from
    social engineering) i can fathom, is the SCADA
    apps hosted on a web connected PC. In the DOD
    world, that would be a blatant IA violation &
    would not be permitted. So conceivably someone
    could hijack a PC at a power plant, and if it
    was hosting a control application from it –
    the potential consequences might be a problem.

  8. “Obviously this needs to be patch but does it take a technician visiting each terminal to flash an upgrade?”

    No, the terminals can be upgraded online or via dail-out (possibly also via dail-in to push an update, but never witnessed).
    Some terminals are connected via DSL line, some are connected via an analog telephone line.

    Terminals are being updated frequently, and if the SW signature doesn’t match, the terminal clearly warns you with: “terminal tampered with” on the LCD and with beeps. And the terminal doesn’t work anymore.
    If something like that happens (eg. due to an incomplete update) you need to go to the “hidden” service menu (for which you also need a pin..), and delete the latest update.

    Hope this answers your question.

    EqX

  9. From what I’ve read, the critical parts of the power grid are completely isolated, so you would need to be at the plant to have physical access or w/e in order to actually take it down… I’m sure some parts of the grid are connected to the web but I doubt the more sensitive parts are. The DoE is pretty serious about BG checks and such so I doubt they would let muhammed walk up to any kind of control terminal…

  10. Financial terminals in the real world are a set of trade-offs. They have to be cost effective from a total cost of ownership+operation perspective. The percentages of secured non-fraud transactions reaping billions tend to pre-outweigh any Zero Day Exploits. Even the front page screamer headline fodder exploits rarely come close to denting profit margins. Proof of concept stunts are neat displays of skills only if you’re ethical in the next steps.

    Yeah- anything “Can” be exploited if it’s made by humans. It’s all about the cost effective ratios for the exploiters and the legit transaction etc realms. Make something “good enough” AkA C&P or PGP and odds are in the house’s favor like most large scale gaming. With the consequential risk to exploiters. Getting caught burning the house is so not smart,let alone safe.

  11. who the fuck cares.

    in my country its either pin OR sign

    most carders just sign for it as theyre too lazy to buy pins.

    and if you suck at doing signatures theres ways around that too.

    + nobody is going to swipe a card with a cable attached to it. be realistic.

  12. I ported a 100,000 line C control program for a company and they never checked for Easter eggs. The program monitored drive trains on very large power stations. I left one myself, no security was ever carried out on this system. To this day it is still used on many power stations in Europe. Back then they never figured that this would be an issue, well not in this company I worked for. LOL.

    The TCP access is still active, LOL.

    Plus they gave me a bad reference.

    LOL

    Revenge is best served cold.

Leave a Reply to DarkFaderCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.