Chip & PIN Fraud Explained - Computerphile

never thought I'd hear the word whorehouse in a computerphile video lol

Anything nightlife or gambling related should be cash-only. Going out for a wild night? Take a couple hundred pounds with you and NO CARD. Spend it all, have fun and when you're out of money, it's time to go home.

"You wouldn't dream of walking into a whorehouse on a Saturday night with 20,000 pounds of cash"
That is EXACTLY what I dream about, sir.

"Cambridge students could do it, but real criminals couldn't." Implying Cambridge students can't be criminals :p

And in the US we're all "It's 2016 time for more security than just a magstripe! Oh the chip is enough security, you can't have a PIN."

This was a very, very informative video. Thank you for all of your hard work in putting this together!

Brilliant as always. This youtube channel is becoming my favourite by far.

The thing is, the protocol is overly complicated and has all these fall backs to old knowingly flawed transaction types. There are simple protocols that could be used to stop most these attacks. But on-line verification and no backwards compatibility to things like signature support is needed for them, and the banks like their backwards compatibility way too much.

why was I automatically unsubscribe to computerphile? I watch and thumbs up every video :(

Ha! I live in Vilnius. So far I've never heard of/encountered these modified devices. But thanks for the heads up, the whole topic is quite interesting actually, wouldn't mind a followup.

The problem is the pin when entered should be encrypted and sent to the bank with the encrypted chip info as separate channels. At no time should the Pin open up the chip at the terminal.

I love listening to this guy talk, I think he would make a great teacher. I learn alot, this is so interesting to me. :)

I'm just enjoying looking at the books he has in the background - a very interesting collection.

Please do more episodes like this. loved it

This is very interesting. Thank you for publishing this!

Is this different than the chip and signature we're rolling out in the US now? From what I understood of the US systems, the chip doesn't actually pass your card number but rather a unique payment code that's cryptographically derived from your card number, the merchant ID, and your transaction counter (which gets incremented each time to prevent replay attacks). I was under the impression that this was done inside the chip which prevents MITM attacks. The examples he was giving seemed to date back a decade so I'm not sure if still applies to current day cards (namely in the US). Can anyone shed light on this?

This was great! How about another video about RFID technology?

Best advice I've heard for combating this from Linus on the WAN Show: give yourself a low limit. People can't steal $10,000 from your card if your card only allows you to spend $500 at a time. "Well what if I need to spend $10,000!" Then you can just put more money on BEFORE you spend it, you silly goof!

...and here I thought the little gold chip in my debit card was supposed to be more secure than the black stripe but it sounds like it's actually less. Or did I misunderstand?

would love to see a similar video on "tap" (NFC) fraud via wireless

. . . and this is why you should always use end to end encryption and best practices for security, rather than trying to roll your own system. It is so easy to mess up security if you make a mistake and didn't think of something. Sad to see that a man in the middle attack is so easy with chip & PIN.

Since 2003? We're just now VERY recently starting to get chips here where I live in USA.

I'm taking an IT class at my high school. This channel inspired me!!!

Why are authorization codes from chip+signature compatible with chip+pin protocol? Or did I miss something from that explaination at 4:45?

Superb video guys. Keep it up

Oh my gosh, this is eye-opening!

So what are the mitigations around NFC relaying. It seems like they are just as vulnerable as chips, unless there are some workarounds using maximum latency. I would assume they are fairly lucrative as they do not require PIN number under certain amount of purchase.

This is the best youtube channel !! For real !!

7:20 This is why you should always get the receipt for absolutely everything every time and KEEP IT. At least then you have proof that you've been lied to.

Great video, I just wish he had covered his ideal solution or fixes to these attacks... or perhaps what the future holds. (Part 2??)

In other words: if you go to the club, use cash :)

Great video. Very informative.
Love uni. Of Nottingham !

Where can I find an article that talks about the fraud that happened between Dubai, Karachi and the UK?

What about the dangers of these machines that you can just hold your card against and it will do the transaction without even needing a PIN. I would love to learn more about those machines. I find them... scary

Is there a link to the story Ross mentions between 3:08 - 3:45?

And what about the contactless payment skimming that is now going on as well?

Will mobile payments solve many of these problems? I've used mobile payments whenever I can for the past 2 years or so, but I have just moved to Samsung Pay which is, besides NFC, compatible with mag-stripe and chip-and-pin terminals.
A pseudo card number and tokenization would be more difficult to forge, right? I have difficulty thinking of ways to forge the pseudo card and tokenization method.

Eh.. I prefer Fish and Cushion tbh.

Shim -- A washer or thin strip of material used to align parts, make them fit, or reduce wear (Oxford)

The funny thing about the last attack he mentioned, you can always refute the charges if you ask for a receipt. It's not likely the evil verification boxes are going to print out a receipt that shows the charges being fed to the bank. Either way, they're hosed.

I remember when I was in the military they would warn us about these relays at ATM's and how to spot counterfeiting hardware. Now that I know what's possible it freaks me out everytime I use an ATM. Plus, many credit cards now have the chips but not all stores are required to operate using those chips. As long as that is possible, counterfeiting will remain fairly easy - despite these sophisticated chips.

Wow! So how do you get around this? Is there any way of ensuring you don't get had? Does Ross use a card?

want to know more about designing protocols from security standpoint, thanks.

are pay by phone more secure or less...
like how easy is it for someone to clone your phone sim-card and other unique information sent by your phone when making a purchase.

Wasn't aware of these more than "check the sum on the machine and always demand a receipt" and "watch the atm for suspicious devices/components". Of course then came the proximity "swipe" transaction or whatever and people were just scanned from their pockets in night clubs.

Well, it seems as if there's not much, if any advantage over a magstripe. Is there any solution other than simply not owning one?

Can we have a video about those slim shims? Those sound cool on their own!

Very good and informative video.

Is Apple Pay with a credit or debit card on a iPhone safer than using the physical debit card as it’s a new technology or is it just a vulnerable?

how about using a phone like samsung pay, apple pay and android pay etc are they safe?

I take from this that there could go *a lot* more work into ensuring that the EC-technologies they want to throw onto the market are actually somewhat safe. Though they still keep messing it up again and again.

please make more videos about security frauds and stuff alike.

With due respect to the professor, he's completely, utterly missing the main point of why EMV/chip-card authentication is an important step forward over using magnetic stripes to do transactions.. Which is simply this: To pull off the attacks he describes against chip cards a bad guy has to physically alter the merchant's reader/terminal that talks to the chip on the card. On the other hand, with the way that magnetic stripe cards are still processed by many merchants today a bad guy that can hack into a store's Point-of-Sale machines can steal your credit/debit card info remotely, from anywhere in the world. Which is exactly how the huge breaches at Target, Home Depot, Kmart, and many other retailers here in the U.S. over the past few years happened.

Would mobile payments like Android and Apple Pay be more or less secure?

A 'shim' is a very thin piece of material that is inserted to make very fine adjustments to positioning. It's got nothing to do with shimmying as in dancing.

Clever tactics used. I tend to use cash where it's an unknown place. Who knew these terminals would be dodgy from manufacturer (like text your details to Karachi).

This is why I always use Western Union to wire money to people that I don't know.

Great video, very interesting

I got a new card...from now I use cash internationally and shady small-store businesses. 300 dollars gone from my account at an atm machine from another state in the U.S. And I still had possession of my card. This video made me more aware that there are smart criminals out there. Thank you.

You don't even need that these days thanks to PayWave. Now all you need is a wireless POS machine registered to a company called something like "administrative fee", program the machine to withdraw a small amount, like a couple of pounds, then walk through a train passing it near people's pockets and handbags. You can do that to hundreds of people in a day, make thousands of bucks and when people check their bank statements (if they even bother to check their bank statements) all they see is a tiny transaction labelled "administrative fee" and think nothing of it.

What about the "pay-wave" wireless card technology any fraud there we should be worried about?

The one thing I don't understand is...
Isn't every issue he mentioned also an issue with magnetic stripe transactions?

Oh, nice to know that he had some experience in Vilnius Lithuania, my town :D

Would it not make sense to eliminate chip and signature entirely to prevent some of this?

I though Chip & PIN was a UK bank association name created after the initial issuance of EMV cards without PIN as a PIN marketing education campaign. Isn`t the global name of the chip card technology specified by the EMVCo consortium, for its payment network members really EMV. And Chip & PIN just a local terminology used in the UK?
Also I thought chip cards leveraging PIN authentication were globally issued since early 90s in countries like France before UK adopted them with the EMV standard at the turn of the century?
Thanks for your analysis on EMV fraud issues.

cool to highlight the problems. solutions would be nice though too :D

Very interesting. What is Apple Pay going to change about this in your opinion? Is it going to be more safe or are there different ways to hack Apple Pay? Looking forward to your answer Brady and Mr. Anderson.

Man... I really want to be as knowledgeable as this guy some day.

well, they sort of ban mythbuster do an episode on this right?

Where I work (most transactions >£100) the card machines reject swipe unless the chip can't be read properly, if you stick the card in the wrong way 3 times it'll automatically switch and ask the customer to swipe it. Really easy to do low-key. Not quite as advanced as the methods in the video but it's pretty scary to think that somebody could pick up my card off the floor and rack up £1000's (assuming I wasn't broke lol) with little more than a few seconds fiddling, before I even knew I'd lost it.

So… what's the solution? If one can't trust hardware, and one can't trust a bank to have my back, what's to do? My bank doesn't even have the chip. The store I work at doesn't take chips. Should I be shopping only at places that take Apple Pay?

MORE from this guy!!!!!

I have always found it strange, that here in Germany, there is no way a cash machine would give you a receipt of the amount you just withdrew from your bank account.
There is no paper and no print function in the cash machine anyway here.
Whereas in all the other countries that I visited (UK Spain Netherlands Poland etc) I automatically got a printout of the amount withdrawn.

Slim Shim (two sided flexible sim card with which both sims can sit in the one phone), that then sits between the card reader and the bank card (rigged to lie to both).... what a literal man-in-the-middle attack.... so literal.

Nice simple and clear.

Which one is safer? NFC or chip n pin?

Pretty impressive book collection

@josefsson no not necessarily ; withdrawals can be made if you're using an account from which you can loan money ((names differ by country))

A friend of mine worked at a Taco Bell about 5 years ago. She said the CC machine somehow got stuck on one guy's CC @ the drive through, and every time she swiped someone's CC, this one guy from before's CC info would go through and pay for everyone's order after him. It was like this one guy's CC info got stuck in the memory, and was reactivated every time she swiped a new customer's card. This guy ended up paying for dozens of people's orders before it got noticed!!!!

How to make programs ATM?

what about rfid (nfc)?

Does mobile NFC payments stop a lot of these hacks?

What is the name of the device at 4:36?

Didn't mention the thermal cameras which record the pin according to the temperature colour on the keys of the machine.

wasn't there a thing once upon a time where an barlcleys atm was hacked and huge sums of money was stolen? I just started uni in uk, and I still don't know the safest places to cash out...

I wish more people subscribed to this channel.

It's so weird to hear the name of my countries capital (Vilnius) being talked about in chip pin fraud video.

Wait a minute, wait a minute, I thought the whole point of chip cards is that the communication is encrypted? The data sent across the wires that are being tapped with these techniques should not contain the user's information plaintext, it's private-key encrypted and hashed against the clock, so why are these attacks working? Is this an older version of the technology that sends the data plaintext?
I can see how the third example, with the false-card inbetween could work, but that will be fixed in the future as soon as credit card companies get with the times and stop allowing signature transactions. The other two, though, shouldn't be able to work as the technology works right now.

The one thing I thought would be helpful was
Transaction:
machine asks card for bank info
machine reads LAST transaction signature from card
machine gets pin
machine asks bank if card is valid based on info and last transaction; all encrypted to high hell
machine authorizes transaction, and saves new signature to card.
If someone skims it then the card gets burnt when the last transaction doesn't match what the card thinks.
If they man-in-the-middle it can't write the correct signature to the old card.

Great video.

What happened to the next step in security that was advertised in the early '00's because even in the ,'90's it was known the chips are already defeatable.
And we have plenty of guys on Tube that recommend removing the chips and going back to the swipe, along with a common thing now is doing a triple ( because so many people refuse to wait the 5-10 seconds, before putting a chip card in to give the cashier time to use the program to make ready for the card. They jump ahead, while things are still being rung in, as fast as possible, slip the card in, and get angry that the transaction isn't completed the very moment a last item is scanned. So we then have to do the 'triple'. Remove the card, wait, re- insert( wait for the error response), remove, wait, re- insert(..error response), remove, then, swipe,..and the card gets approved. All because people refuse to apply a little patience. And of course, if it's a rigged reader, the bad guys were just now given 4 chances to get info off their cards.
This ( the 'triple')happens over and over again everyday.
Things on their mind, new card( why it's like a new toy, it's remarkable, let's play), just plain immature users..?
CXO blogs list all this stuff we have had for next steps, for years, yet we're still only at chips. What's wrong with the processes applicable on this.

Thanks you skim lord for for having the best with your cc

To be fair to the issuers you should also explain how big data and risk based authentication is being used to combat these techniques of fraud.

But every chip you purchase has a hard coded serial number (read only) hence theoretically cannot be duplicated.

A payment card has form factor of a smartcard.
The chip has the physical interface of a smartcard (I haven't compared, but at least it's very similiar).
So why the hell doesn't it work like a smartcard? I always assumed that when I input a PIN on the keypad with the card inserted, some cryptographic transaction was taking place where the terminal would input hash of the transaction to the card which would sign it when unlocked with a PIN.
But then "contactless" cards came along and I realized it was not even close. You swipe the card (obviously there's at most a pre-shared key to do anything at that point) and then input the PIN without the card present afterwards. What the hell? How's that supposed to help anything?
Any idea why this isn't it implemented like a smartcard? Even for wireless, you could type the PIN, then hold the card over the reader and it could still unlock with PIN and sign - just wirelessly.
Instead there's some obscure insecure-by-design protocol that can never work when you start looking at it even as a user!

I was suspicious of pins right away. If they can steal your magnetic stripe information by swiping your card in an electronic device, why can't they steal the same information stored on a chip the same way?

Yes yes, but where do we GET one of those machines!?

This happened to me in 2014. My card was being used all over southern California when the whole time it was in my possession. Check your bank statements. I went to a motocross track in riverside,ca and i used my card to get gas on the way there. So i think i put my card into one of those devices. Charges showed up after that day. Spread out all over Southern CA. My bank doubted me. I told them how can i be at that many places from riverside,ca to los angeles,ca in less than hour to make purchases.

So isn't Apple/Android/Samsung Pay better than any of this since it creates dummy account #'s during each transaction?

Until they ditch the SDA protocol its easy money. For under £100 you can purchase the required reader/writer and suitable blank cards, bins etc. Some of the issuers haven't addressed this, because in terms of percentages, the losses caused by use of cloned cards, are relatively very small, whereas implementing cda/dda is costly.