Skip to content or view screen version

Banks vs the Smart Card Detective

Danny | 28.12.2010 12:48 | Other Press | Technology

Banks are trying to censor a Master of Philosophy thesis from Cambridge University student Omar Choudary, showing how to avoid scams. The banks claim this is a security threat in itself. The university are intent on keeping his work on their website, and it remains on Choudary's, but the banks have a history of successfully covering up and ignoring security flaws to protect their reputations. I think it is useful for as many people and sites as possible to download and republish this information while it is still available.

I haven't verified any of the thesis, that will take quite some time, and I don't want to spell out implications that aren't obvious. I think publishing it here is justified solely from the fact the university are trying to protect it and the banks are trying to censor it. Maybe you know someone technical enough to find it very useful, or maybe you didn't even know you were at risk of being shown one price for a transaction when a different price was charged.

Banks attempt to censor student thesis
 http://www.techeye.net/business/banks-attempt-to-censor-student-thesis

Banks attempt to suppress maths student's exposé of chip and pin
 http://www.independent.co.uk/news/education/education-news/banks-attempt-to-suppress-maths-students-expos233-of-chip-and-pin-2170396.html


The Smart Card Detective (SCD)  http://www.cl.cam.ac.uk/~osc22/scd

The SCD is a card-size device that can intercept, monitor and modify the data of an EMV transaction (EMV is the protocol used in Europe for smartcard payments). This device and the associated software are the result of my MPhil project. The main goal of the SCD was to offer a trusted display for anyone using credit cards, to avoid scams such as tampered terminals which show an amount on their screen but debit the card another (usually larger) amount.

However, the final result is a more general and open EMV framework that can basically do anything a card or a terminal might do. That is, the SCD can act as both a card or a terminal (or even a CAP device), and it can relay, monitor and modify a transaction between a card and a terminal.

We have successfully tested the SCD with many CAP readers and terminals. Among the applications implemented I mention: confirmation of requested amount before authorising a transaction, log of transaction data, PIN modification. We have been able to test also the No PIN vulnerability using the SCD. There is also a French reportage on this.

The hardware consists of an ATMEL AT90USB1287 microcontroller, with several features: 3 power supplies (USB, DC, battery), ISP, USB and JTAG connectors, 2 ISO-7816 (smartcard) interfaces. Most of the software (targetted for the AVR architecture) is written in C with some small parts in assembler.

All the details about the SCD can be found on my MPhil thesis.

I give free access to all the software and hardware files for personal and research purposes (files below). For any commercial purposes please contact me. I also mention that the code used to implement the NO PIN vulnerability is NOT available, although I provide all the functionality for any EMV transaction. My aim is to make the SCD an open framework for research on EMV. I will be updating the software as necessary and even the hardware can be modified, so any comments are more than welcome. Please give it a try and send me some feedback. If you need help in building the hardware get in touch with me.

News(20/12/2010): the new version (2.2) of the software includes the code for a terminal application. The SCD can now be used as a terminal.

Support for T=1 protocol is under development.

DISCLAIMER: I am not responsible for any damage or prejudice caused by using the software or hardware provided in these pages. Please use the information provided at your own risk.
All the files below are provided under the GNU GPL license.

Hardware files
SCD schematic v2.0 [SCD_PCB_v2.sch]
SCD library for Eagle [SCR.lbr]
SCD gerber files v2.0 [SCD_PCB_v2.zip]
ISO7816 ID-1 probe schematic [ICC.sch]
ISO7816 ID-1 probe gerber files [ICC.zip]
Farnell basket for SCD components [scd_farnell_basket.csv]

Software files
source code v2.2 (includes terminal application) [scd_avr_v2_2.tgz]
source code v2.0 [scd_avr_v2_0.tgz]

Doxygen API for v2.2 [  http://www.cl.cam.ac.uk/~osc22/scd/files/html/index.html ]

Danny

Comments

Hide the following 3 comments

Simple Implications

28.12.2010 16:15

The implications are simple and clear.

When a bank says "that phantom withdrawal was your fault" you can point to the Choudary research (which dates back to 2006) and ask, "can you prove that beyond all reasonable doubt". The truth is that the banks cannot. Just like bank charges were in the past, the future will be increasingly focused on banking security. How come Santander can send out other people's bank details on customers' statements?

The implications are that the simple device- which was to protect people from fraud - that Choudary developed has exposed a potentially major security flaw in the whole chip and pin system. If the research underpinning that device suddenly disappears then it gives credence to the argument (which many - myself included - will find to be conspiracy theory tin hat land) that the banks are covering up something much much bigger.

The banks were told chip and pin was not a magic bullet. They sold it as a magic bullet. The strategy was risk based. Better that it was an academic that realised the risk rather than some shadowy ultra secretive criminal mastermind who would simply start skimming the depositors without announcing that chip and pin is broken.

Realistically, I do not think there is any conspiracy. Just the banks attempting to hide their liabilities now their risk based behaviour has been exposed.

Henry Cow


Smart bombers?

28.12.2010 23:24

You can print-out of the thesis as proof that transactions can be falsified, as Henry said. That's one implication that justifies keeping this online. Building the device would have other implications. You'd be able to test the security of smart card devices. A close software analogy would be a port-scanner, or a network stress tool like LOIC, which are pefectly legal because people have to test their networks to secure them, but tools like that are weapons when used maliciously by groups like Anonymous.

Henry is also correct that the banks knowingly introduced a flawed system, but it is less flawed than the system it replaced. I briefly worked for a smart card company in the early 90's, and my boss had a demo to evangalise the relative safety of smart cards. He'd copy credit card magnetic strips with a strip card reader, print out the copy onto video tape and hack accounts. A card strip reader cost £25 at the time, I sourced one five minutes after I first saw the demo. This is the equivalent for smart cards.

The encryption even the smart cards Sky TV use is licenced Israeli military encryption, no expense spared code. It's unbreakable, to me at least, unless N=NP and the mathematicians haven't proven that yet. Yet encryption is only one part of security, and this exposes gaping holes that are presumably down to multi-vendor (ie compromised) specifications and time constraints in the design process.

The banks say all fraud ultimately costs everyone but in reality there are different types of bank fraud. You can steal money from an individual account, or you can steal money from the bank, which to them is an acceptable loss that they will share out among their accounts. The bank steals money from you as stated policy, depending on your politics, but you also get shafted by other incompetence and theft from within the bank. I've had temp cashiers pocketing deposits, and the bank only admitting that after months of abuse once I found the receipt. One foreign bank sent me out a Chip n Pin card and security number without informing me (except through a TV campaign I never saw) which was intercepted and drained. So they have stolen money from me in various immoral ways, most costly the sharp practices recently. So I reciprocate, when they have stolen from me I deprive them of ten times that amount via roundabout ways. I don't steal from the banks to feed myself when I'm hungry, or to save other peoples lives, but when they fuck me over I fine them a greater amount. I burn some of their stolen money To me that is moral. That is my point in adding this post, to make anyone smart enough to build this tool consider when or if it is moral to use it as a weapon. Many protesters upset at the banks misbehaviour superglue or paint ATMs or block bank entrances, and that is barely effective at best, really it's just general maintenance costs far cheaper than fraud. Eric Cantona recently tried to get everyone to withdraw their cash from the banks at the same time, which shows he is a better poet than activist or economist. The Smart Card Defender is one of many, but not enough, tools that can dismantle capitalism, but it requires basic health and safety awareness. The elite are currently up a big shakey pedestal that we constructed for them. It's an inherently unsafe structure but if we dismantle it from the bottom then it is likely to collapse upon some of us. Plus on a hacker to hacker basis, if you overuse any tool then police will be breaking your door down.

My own metaphor for the safest liberation is when we crack the lid off a paint can. You don't try to prise it off from one point only, you swap positions repeatedly. Apologies if that reads like a Cantona poem, but anyone smart enough to build the SCD should get it.

Inventor of the helium-balloon whale