Bring on the smart cards

The state of the art in debit card fraud advances

A traditional credit card account can be thoroughly exploited based entirely on the details printed on the card — most cards will even bear an exemplar signature to aid aspiring forgers, and just the account number and expiry date are good enough for on-line purchases. The classic restaurant-payment scenario, in which the card is out of its owner's sight for several minutes, gives ample opportunity to get into the credit-fraud game using no technology more complicated than a notepad and pen.

Card-and-PIN–style debit systems like Interac are more resistant to fraud to the extent that a would-be thief must not only skim the identification information off of the card's magnetic strip, but also observe and record the secret PIN as the unwitting user types it in. Debit card bandits who don't simply extort the necessary information from their victims have typically resorted to magician-grade ruses involving furtive double-swipes and either hidden cameras or eagle-eyed, “shoulder-surfing” accomplices. The famous rigged ATMs, with their false card slots and keypads, are only the most elaborately staged and automated form of the classic technique.

But now, with news that some point-of-sale equipment logs not only mag-strip information but also the associated PINs, it's become clear that no degree of user vigilance can keep one's account information out of the hands of the enemy. We cannot trust the keypad that the cashier hands to us: it may turn around and re-play our transaction hours or days later, to the advantage of an invisible thief. Beyond changing the PIN with impractical frequency, we can do nothing to foil such a scheme.

Cards that keep their own secrets

The solution is to carry a smarter card, one that can keep a secret of its own beyond the information embossed on its face or plainly written on its magnetic strip. Smart cards have a chip embedded in them that can participate in a cryptographically secure challenge-and-response conversation with the bank's central computer.

The challenges, and thus the responses, change each time — the only common feature is the mathematically obscure private key used by the card to generate its responses. The bank, with knowledge only of the card's public key, can verify mathematically that the response was produced using the unknown private key. With the card thus positively identified, the user can enter a secret PIN as before, maintaining the two-factor authentication model that makes a stolen card useless.

Research has shown that it is theoretically possible, using clever analysis of the chip's power consumption as it runs its calculations, to guess the private key hidden in the card's memory. But physical possession of the card for more than a few minutes is typically required. And it should be possible, given sufficient time, to guess the private key by computational brute force. Neither of these tricks is in the same class of ease as pulling account numbers and PINs from a point-of-sale terminal's log.

Better living through technological escalation

A clever system would enable smart cards to re-randomize their private keys, perhaps when the user elects to do so using an ATM menu option. The card would send only the new public key back to the bank, thus frustrating any progress by an attacker.

Further elaborations to the system could involve putting a keypad or other input device on the smart card itself, enabling the encryption of the secret PIN before it is ever seen by untrusted machinery. For convenience, any number of biometric schemes could be used to replace (or, better, to supplement) the PIN.

Back to mugging

Smart debit cards, whether they talk to the outside world through traditional metal contacts or short-range radio broadcasts, will mean the end of simple replay attacks against debit accounts. There will, of course, be plenty of opportunities to foul up the design of the new system, and it will take plenty of time and money to implement. But if it is done properly, users' confidence in the security of their money will rightly be increased, and the thieves will have to fall back on credit card fraud — or just steal money the old-fashioned way, face to face.