The pin that is used to debit cards and credit cards to be secure, can be easily intercepted. Also Dutch pin codes of debit cards may be vulnerable. “The system should be on the shovel,” said beveiligingsonderzoeker Andrea Barisani.
In recent years, banks have taken measures to pins on credit cards and debit cards to better protect, but because of outdated credit cards also must be supported, will void that extra security. That warning beveiligingsonderzoeker Andrea Barisani of security firm Inverse Path.
Although Barisani only problems encountered in the security of the pin codes on credit cards, are debit cards with the in the Netherlands used Maestro standard also vulnerable, as soon as they are put in an atm that both credit cards as debit cards support. Often that is so, because the chips on credit and debit cards on the same technology back: EMV, which stands for Europay, MasterCard and Visa.
The pin code can be intercepted by a small device in an atm to slide. That device acts as a credit card and performs a man-in-the-middle-attack on the transaction between the atm card and the atm. “I have Maestro-fit has not been explored, but that doesn’t matter,” said Barisani opposite Tweakers. The device in the atm is scrolled to emulate a credit card; the atm does not agree that there is, in fact, completely no credit card is entered.
The vulnerability is located in the support of pinapparaten for outdated forms of authentication of credit cards, where the pin is unencrypted is sent to the atm. An attacker can force that outdated form of authentication is used. “This problem is caused by backwards compatibility,” said Barisani.
“One problem is that the card authentication and the authentication of the pin code separately to happen”, says Barisani. The solution would be to verify the authenticity of the card to verify it before the pin is entered; something which is now not happening. However, that is in conflict with the official specification of the payment system. “The only solution is to get the specification to ignore,” said Barisani. “Or to the whole system on the shovel to throw.”
Dutch banks have taken steps to arm themselves against the vulnerability, but Barisani suspect that the problem is still abuse. Because of the outdated, foreign credit cards still accepted, would be attackers, therefore, can arise if a foreign debit card.
The vulnerability relates only to the interception of the pin code; an attacker would also have the debit card in their own hands. “But the problem is that you as a customer are liable if your debit card is stolen and the thief your pin used”, says Barisani. Banks, according to him that customers be remiss if the pin code is used, because they, for example, on a piece of paper in their wallet. “We want to demonstrate that this is not necessarily the case, because the pin can be intercepted.”
The conclusion that “credit cards may also be geskimd’, which NU.nl pull, slide Barisani aside. “We warn for a very specific problem,” says Barisani. “To say that credit cards are not secure, is not fair. Because that is not true.”
The problems for which Barisani warns are not new: in 2011, warned Barisani’s colleague Daniele Bianco all vulnerable credit cards at the Hack in the Box security conference in Amsterdam. However, Barisani a new hack is found for which more cards are vulnerable than previously thought. That seems to be no consequences for Dutch debit cards and credit cards.