PIN's and credit cards.

Matthew Byng-Maddick ukcrypto at lists.colondot.net
Sun, 17 Nov 2002 12:55:34 +0000 

On Sat, Nov 16, 2002 at 08:57:04PM +0000, Brian Morrison wrote:
> Someone I know was telling me that some (in this case encryption)
> hardware is arranged so that there is a woven metal mesh around the
> circuitry where the wiring is insulated at crossing points so the two
> wires are isolated. The whole board is then potted so that any attempt
> to cut in or tamper results in either an open circuit in one of the
> wires or a short between the two. Either condition is used to void
> internal NV data and render the board inoperative.

This is entirely correct (to my understanding anyway). Ross's team have,
AIUI, investigated several devices where this is the case.

> Sounds like this is what is needed to make the physical PIN pad security
> seriously difficult to compromise, but I expect there would still be
> other attacks possible.

However, in the attack that I was actually talking about you've got the
compromise taking place way outside. The idea is that the bank is relying
on you to keep your PIN secret, but what you don't know is whether the
PED has been taken apart, and either strain gauges attached or other wires
across the pins of the switches (which cannot really be inside the epoxy
and meshed encryption hardware). Given that these are large components in
the device, they're hard to protect, in the way that you would for the
actual keying hardware.

Also, implementing some shared-secret protocol that I could actually see
would be, well, interesting, and my munging my pin would be too hard for
most people. Ultimately, though, I think the whole idea of this is for the
banks to "cut down fraud", and blame the consumers when any fraud really
does take place. You also have to rely on the device not to have been
hacked at the level of, say, the printer, and that it's not adding an
extra "0" on the end when it actually generates the amount, etc. Because
the cards are "secure", this kind of attack will be the consumer's problem,
not the bank's.

MBM

-- 
Matthew Byng-Maddick         <mbm@colondot.net>           http://colondot.net/