Sunday, December 26, 2010

Banks Try To Cover Up Fraud...Again

At the outset of the new millennium the banks had a problem. They were paying too much money compensating  consumers who were victims of fraud related to banking activity. Mail fraud, Cheque fraud and ID theft all placed the liability squarely on the shoulders of the banks and merchants. So they needed a "liability shift" that would allow them to escape responsibility for  insecure transactions.

Enter the EMV (named after Europay, Mastercard and Visa) protocol or "Chip and Pin".

This technology places a chip in every participating credit and/or debit card. The chip allows the user to digitally authorize a transaction at a point of sale terminal (POS) by using a pin number or signature. This feature was hailed as a panacea that would eliminate credit card fraud by adding another, digital, layer of complexity to the transaction.

To date there are over 1 billion EMV compliant smart cards in circulation worldwide. Here is a map of the areas in which EMV is deployed:

Great, so now over 1 billion card holders have bulletproof transactions right? WRONG.

In February 2010, Professor of Security Engineering Ross Anderson at Cambridge University, along with his colleagues, published and blogged about, a paper entitled "Chip and Pin is Broken".

As the title suggests, they found a fatal flaw in the current iteration of EMV. In their words:

"The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it’s doing a chip-and-signature transaction while the terminal thinks it’s chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists’ cards. The transactions went through fine and the receipts say “Verified by PIN”.

It’s no surprise to us or bankers that this attack works offline (when the merchant cannot contact the bank) — in fact Steven blogged about it here last August.
But the real shocker is that it works online too: even when the bank authorisation system has all the transaction data sent back to it for verification. The reason why it works can be quite subtle and convoluted: bank authorisation systems are complex beasts, including cryptographic checks, account checks, database checks, and interfaces with fraud detection systems which might apply a points-scoring system to the output of all the above. In theory all the data you need to spot the wedge attack will be present, but in practice? And most of all, how can you spot it if you’re not even looking? The banks didn’t even realise they needed to check."

In order to prove their point, they built a test rig that would allow them to exploit this flaw in a real life situation, and they asked the BBC to tag along. Here are the results:

Isn't it funny how all the banks contacted by the BBC said EXACTLY THE SAME THING?!

Basically it's an industry problem, we're not the only ones using this technology. What is this Kindergarten?

So instead of apologizing profusely, alerting their customers and immediately fixing the problem, what do they do? They try to suppress the work done by the Cambridge team!

Here is a letter sent by the UK Cards Association to Cambridge. Here's a key quote:

"Our key concern, therefore, is that this type of research was ever considered suitable for publication by the University. It gives us cause to worry that future research, which may potentially be more damaging, may also be published in this level of detail."


"Consequently we would ask that this research be removed from public access immediately and would hope that you are able to give us comfort about your policy towards future disclosures."

Do you see the arrogance?

In other words they are saying: we know you exposed a serious flaw in our technology that consumers will end up paying for, but we don't want to do anything about it and bullying you into removing this information from the public domain is easier than fixing the problem.

Luckily, Professor Anderson is no pushover. He responded with a scathing letter back to the UK Cards Association. Some highlights:

"Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar’s, we have no choice but to back him. That would hold even if we did not agree with the material! Accordingly I have authorised the thesis to be issued as a Computer Laboratory Technical Report. This will make it easier for people to find and to cite, and will ensure that its presence on our web site is permanent."


"You complain that our work may undermine public confidence in the payments system. What will
support public confidence in the payments system is evidence that the banks are frank and honest in
admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies. Your
letter shows that, instead, your member banks do their lamentable best to deprecate the work of those
outside their cosy club, and indeed to censor it."

I say we give a standing ovation to Professor Ross and his team, not only for doing excellent research in exposing this flaw, but also for standing their ground and refusing to be bullied by these incompetent and arrogant banksters.


Rob said...

Boy, if anything ever showed up the banksters to be shysters, crooks, and downright criminals, this is it. Arrogance taken to a new level. thought for awhile I was reading something from the U.S. Senate and House of Representatives and the White House all rolled into one. Guess these guys are buddy-buddy with our TSA gestapo boys and girls, too...nothing surprises anymore, the scam artists and bulliers are everywhere.

Anonymous said...

Part 4 tells you of the NUCLEAR demolition scheme of the WTC.

Part 14 tells you what happened to WTC-7 which fell 24 mins after the BBC announced its collapse.

Parts 24 & 25 is about the radiation sickness of the WTC responders.

If you are American and gave a damn about what has happened to your country, you should spread this information far and wide.

Anonymous said...

The world has changed since 9/11. If the truth behind 9/11 comes out, all these fascist governments will fall for they have all lied to us, the people.

And do you know that the truth behind 9/11 has been out on the internet since March 2010? It's all covered in an interview with Dimitri Khalezov, a former officer of the Soviet nuclear intelligence unit.


Hint: The interview is in 26 parts and lasts over 4 hours. Check out parts 4, 14, 24 and 25 first before watching the whole caboodle.

Some people in the USA may find the 1st link is flagged as malware. Do not believe that - the NWO simply doesn't want you to know the truth.

Anonymous said...

Full play list (all 26 videos on a single web page):

Individual links to each of the 26 parts: