If Simple Credit Cards are cloneable just imagine how ”New ID cards” are supposed to be ‘unforgeable’ – but it took expert minutes to clone one, and program it with false data

By Cory Doctorow at 11:43 PM February 11, 2010

(Chip and PIN is broken via Schneier)

BBC: New flaws in chip and pin system revealed

Noted security researcher Ross Anderson and colleagues have published a paper showing how “Chip-and-PIN” (the European system for verifying credit- and debit-card transactions) has been thoroughly broken and cannot be considered secure any longer. I remember hearing rumbles that this attack was possible even as Chip-and-PIN was being rolled out across Europe, but that didn’t stop the banks from pushing ahead with it, spending a fortune in the process.

The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it’s doing a chip-and-signature transaction while the terminal thinks it’s chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists’ cards. The transactions went through fine and the receipts say “Verified by PIN”.

It’s no surprise to us or bankers that this attack works offline (when the merchant cannot contact the bank) — in fact Steven blogged about it here last August.

But the real shocker is that it works online too: even when the bank authorisation system has all the transaction data sent back to it for verification. The reason why it works can be quite subtle and convoluted: bank authorisation systems are complex beasts, including cryptographic checks, account checks, database checks, and interfaces with fraud detection systems which might apply a points-scoring system to the output of all the above. In theory all the data you need to spot the wedge attack will be present, but in practice? And most of all, how can you spot it if you’re not even looking? The banks didn’t even realise they needed to check.

Computer keyboard

Canadian researchers say they have uncovered a China-based electronic spying operation that infiltrated computers in 103 countries.  While they say they have no conclusive evidence of Chinese government involvement, the targets of the computer espionage were political.  The cyber spying operation is one of the biggest and most sophisticated ever discovered.

Researchers at the University of Toronto call it Ghostnet – an electronic spying operation that infiltrated more than 1,000 computers around the world.  They say it targeted NATO, the Indian Embassy here in Washington and Tibetan exile centers in India, Brussels and London.  Researchers say that in addition to stealing computer files, the cyber spies could turn on the internal camera on a remote computer to eavesdrop on live conversations.

Nart Villeneuve is with the University of Toronto’s Munk Center for International Studies.  He says that while the operation was sophisticated in its organization and scope, it used readily available Internet viruses called Trojans, attached to email messages to infiltrate computers.

“From a purely technical point of view, no, it was not that sophisticated,” said Nart Villeneuve. “The Trojan, the attacker favors, the ‘ghost rat;’ it’s open sourced.  You can go and download it.  It’s not like it is some clever special new way of doing it.  But the way in which the attacker was able to leverage these tools was sophisticated.”

The Toronto researchers uncovered the cyber spying operating when they were asked by the exiled Tibetan leader, the Dalia Lama to examine his organization’s computers for malware – malicious software that can infiltrate or damage a computer system.

Although the group cannot say whether the Chinese government was involved, they add that Ghostnet’s computers were almost exclusively located in China and that the targets were political.  They found infected computers in the Dalai Lama’s organization and were able to trace stolen correspondence back to the spy network’s computer servers in China.

The Chinese government has denied any involvement in the operation.

But James Lewis, a technology expert with the Center for Strategic and International Studies in Washington says cyber spying is nothing new for the Chinese government.

“We know that they are interested as a government,” said Lewis. “We know that they’ve done it in the past as a government.  And the things that are being collected are of interest to the Chinese government.”

Lewis notes that many countries, including the United States and Russia, use computer technology to gather intelligence.

The University of Toronto researchers say an international agreement is needed to protect privacy rights and prohibit cyber spy operations like Ghostnet in the future.