Re: Credit Cards/Chip and Pin/ATM withdrawls

Go To Mortgage 101

Return To Group Index

From: =?UTF-8?B?UGFsaW5kcuKYu21l?= 
Newsgroups: uk.finance uk.legal
Subject: Re: Credit Cards/Chip and Pin/ATM withdrawls
Date: Thu, 22 Dec 2005 20:03:53 +0000

Cynic wrote:
> On Thu, 22 Dec 2005 13:57:31 +0000, Palindr?me
>  wrote:
> 
> 
>>The circuit design and silicon layout must be worth its weight in rice 
>>crispies to any one "seriously" planning to attack the chip. For 
>>example, it may be as "simple" as micro-etching and then hitting the 
>>right spot with a laser to set the chip to always generate "a PIN ok" 
>>flag - or even something as crude as a drill in a micro milling machine 
>>may achieve the same effect. I wonder if they have spent as much effort 
>>on making the chip proof from those sorts of attack as they have on its 
>>encryption algorithms and software?
> 
> 
> The "OK" signal is not on a physical dedicated data line anywhere.  It
> will be a data message generated by the on-chip processor under
> firmware control.  You cannot alter the program by physically altering
> the chip.

The program itself is stored as physical bit patterns in physical memory 
on the chip. It is certainly possible to change such stored bit patterns 
using an external device - although this would possibly be a one time 
only change and may only be possible in one direction. Trying to find a 
suitable memory location to change to produce a useful program change 
would be tricky, I admit. Changing data rather than code is likely to be 
a much better bet.

> 
> Yes, physical security has been addressed AFAIAA by means of
> encapsulating the chip in a way that would not make it easy to get to
> the surface of the silicone.

They could certainly have some form of guard layer that would make life 
very difficult. So that not only would you have to get to the surface of 
the silicon, but to deposited layers under it. Tricky.  But give the 
right people a fulcrum..

> 
> 
>>The software on the chip may be set up to be easily changed to make it 
>>economically non-viable to try to defeat the PC+card hack - but I doubt 
>>that the real-estate of the private store can be re-designed all that 
>>easily or cheaply.
> 
> 
> Cloning or altering the chip's hardware would be of no use to the
> forger.  The information that needs to be changed is the data
> contained in what is effectively read-only memory (either data or
> program memory).  Which in essence is the presence or absence of a
> charge in a microscopic memory cell.

Knowing the detail of the chip hardware and the firmware would allow you 
to locate which microscopic memory cells contains what data. Those 
individual cells may then be altered, typically destructively so that 
the cell thereafter reads permanently 1 or 0. The equipment to do this 
will not be cheap. Without knowing the detail, I cannot say if you could 
end up with a card that would validate against any PIN - but it is 
possible that it could.
> 
> It *is* possible to read and change charges in such cells by means of
> an external device, and blueprints are not likely to be needed as a
> memory array is pretty obvious on a chip.

I agree a memory array is pretty obvious. Working out how the bits, 
bytes and words are arranged and mapped to real memory addresses within 
that area on the piece of silicon is dashed tricky. The chip design 
details make it trivial.

>  But not only does that take
> so long to set up that you would not be able to compromise many cards
> in a day, but anyone who can afford the equipment to do so is unlikely
> to find it worthwhile to risk being convicted of a serious crime to
> commit such fraud, and people who work in places where they might get
> the occasional access to such equipment would not be able to
> compromise enough cards to cause much damage.

I am obviously thinking of a criminal organisation overseas. The process 
could be entirely automated, indeed it would largely have to be. It may 
even be possible to use a laser to burn through the encapsulation, 
straight to the appropriate memory cells on the substrate and alter them 
to a permanent 1 or 0.

If both encrypted stored PIN and entered PIN are always mapped to the 
same locations, both locations could be set using this technique, giving 
a card that could possibly work with any PIN.

> 
> Technology advances, and there may well come a time when the necessary
> equipment *is* affordable - but by that time I should think the
> security measures will have been updated to suit.
> 

What would it be worth to be able to set any PIN card to work with any 
PIN? I have no idea. But the typical kit found in any FAB plant would be 
all that would be needed, perhaps.

All this is pure conjecture. The card could be protected against this 
sort of attack. The software may not store entered encrypted PIN. They 
may be checksummed and the sum used as validation. So I am not arguing 
that this is a serious threat. But, for anyone with the firmware and 
chip design, it wouldn't take long to work out if such an attack would 
be worth investigating further.

A software change as simple as a memory address offset or additional 
checksum would defeat the attack - but it could be an interesting few 
months until all the cards were replaced.

-- 
Sue