Banks Attempt to Censor Academic Publication that Details SmartCard Chip and PIN Exploit Device

[FastTadpole]

Quote:UK Banks Attempt To Censor Academic Publication
Posted by timothy on Saturday December 25, @10:55AM

Representatives of the UK banking industry have sent a take-down notice (PDF link) to Cambridge University, demanding that they censor a student's webpage as well as his masters thesis (PDF*) . The banks' objection is that the information contained in the report might be used to exploit a vulnerability in the Chip and PIN system, used throughout Europe and Canada for credit and debit card payments. The system was revealed to be fundamentally flawed earlier this year, as it allowed criminals to use a stolen card with any PIN. Cambridge University has resisted the demands and has sent a response to the bankers explaining why they will keep the page online.

http://yro.slashdot.org/story/10/12/25/1...ublication

Here's the student's (Omar Choudary) website that outlines the SCD and highlight the fundamental flaws and applicable exploits of the "smartcard" system being implemented. Photos, firmware, software and schematics are available (for now) on his site as well.

Quote:The Smart Card Detective (SCD)

The SCD is a card-size device that can intercept, monitor and modify the data of an EMV transaction (EMV is the protocol used in Europe for smartcard payments). This device and the associated software are the result of my MPhil project. The main goal of the SCD was to offer a trusted display for anyone using credit cards, to avoid scams such as tampered terminals which show an amount on their screen but debit the card another (usually larger) amount.

However, the final result is a more general and open EMV framework that can basically do anything a card or a terminal might do. That is, the SCD can act as both a card or a terminal (or even a CAP device), and it can relay, monitor and modify a transaction between a card and a terminal.

We have successfully tested the SCD with many CAP readers and terminals. Among the applications implemented I mention: confirmation of requested amount before authorising a transaction, log of transaction data, PIN modification. We have been able to test also the No PIN vulnerability (PDF) using the SCD. There is also a French reportage (AVI) on this.

The hardware consists of an ATMEL AT90USB1287 microcontroller, with several features: 3 power supplies (USB, DC, battery), ISP, USB and JTAG connectors, 2 ISO-7816 (smartcard) interfaces. Most of the software (targetted for the AVR architecture) is written in C with some small parts in assembler.

All the details about the SCD can be found on my MPhil thesis (PDF)*.

I give free access to all the software and hardware files for personal and research purposes (files below). For any commercial purposes please contact me. I also mention that the code used to implement the NO PIN vulnerability is NOT available, although I provide all the functionality for any EMV transaction. My aim is to make the SCD an open framework for research on EMV. I will be updating the software as necessary and even the hardware can be modified, so any comments are more than welcome. Please give it a try and send me some feedback. If you need help in building the hardware get in touch with me.

News(20/12/2010): the new version (2.2) of the software includes the code for a terminal application. The SCD can now be used as a terminal.

Support for T=1 protocol is under development.

DISCLAIMER: I am not responsible for any damage or prejudice caused by using the software or hardware provided in these pages. Please use the information provided at your own risk.

http://www.cl.cam.ac.uk/~osc22/scd/

Files are available on the student's (Omar Choudary) website.

The files included are as follows and are provided under the GNU GPL license:

Hardware files
SCD schematic v2.0
SCD library for Eagle
SCD gerber files v2.0
ISO7816 ID-1 probe schematic
ISO7816 ID-1 probe gerber files
Farnell basket for SCD components

Software files
source code v2.2 (includes terminal application)
source code v2.0
Doxygen API for v2.2

Contact Information for Omar Choudary

I study in the Computer Laboratory, office GE14. My telephone number is +44 (0)1223 767001. E-mail me on osc22 !a.~t! cam.ac.uk

*Omar Choudary's Thesis for his PhD at Cambridge is attached:

  mphil_acs_osc22.pdf (Size: 2.63 MB / Downloads: 21)

[ragamuffin]

I covered the same news (Chip and PIN Hacked). Cambridge university seems to have strong interest in banking related security aspects. They published a Decimalization Attack against IBM HSM's a few years back. The work of Omar Salim Choudary is actually limited to a practical application of the findings of some predecessors in Cambridge; he didn't invent these techniques.