Anything nightlife or gambling related should be cash-only. Going out for a wild night? Take a couple hundred pounds with you and NO CARD. Spend it all, have fun and when you're out of money, it's time to go home.

never thought I'd hear the word whorehouse in a computerphile video lol

"You wouldn't dream of walking into a whorehouse on a Saturday night with 20,000 pounds of cash" That is EXACTLY what I dream about, sir.

"Cambridge students could do it, but real criminals couldn't." Implying Cambridge students can't be criminals :p

And in the US we're all "It's 2016 time for more security than just a magstripe! Oh the chip is enough security, you can't have a PIN."

why was I automatically unsubscribe to computerphile? I watch and thumbs up every video :(

Brilliant as always. This youtube channel is becoming my favourite by far.

This was a very, very informative video. Thank you for all of your hard work in putting this together!

The thing is, the protocol is overly complicated and has all these fall backs to old knowingly flawed transaction types. There are simple protocols that could be used to stop most these attacks. But on-line verification and no backwards compatibility to things like signature support is needed for them, and the banks like their backwards compatibility way too much.

I love listening to this guy talk, I think he would make a great teacher. I learn alot, this is so interesting to me. :)

I'm just enjoying looking at the books he has in the background - a very interesting collection.

The problem is the pin when entered should be encrypted and sent to the bank with the encrypted chip info as separate channels. At no time should the Pin open up the chip at the terminal.

Please do more episodes like this. loved it

This is very interesting. Thank you for publishing this!

Ha! I live in Vilnius. So far I've never heard of/encountered these modified devices. But thanks for the heads up, the whole topic is quite interesting actually, wouldn't mind a followup.

Best advice I've heard for combating this from Linus on the WAN Show: give yourself a low limit. People can't steal $10,000 from your card if your card only allows you to spend $500 at a time. "Well what if I need to spend $10,000!" Then you can just put more money on BEFORE you spend it, you silly goof!

Oh my gosh, this is eye-opening!

This is why I always use Western Union to wire money to people that I don't know.

. . . and this is why you should always use end to end encryption and best practices for security, rather than trying to roll your own system. It is so easy to mess up security if you make a mistake and didn't think of something. Sad to see that a man in the middle attack is so easy with chip & PIN.

Is this different than the chip and signature we're rolling out in the US now? From what I understood of the US systems, the chip doesn't actually pass your card number but rather a unique payment code that's cryptographically derived from your card number, the merchant ID, and your transaction counter (which gets incremented each time to prevent replay attacks). I was under the impression that this was done inside the chip which prevents MITM attacks. The examples he was giving seemed to date back a decade so I'm not sure if still applies to current day cards (namely in the US). Can anyone shed light on this?

In other words: if you go to the club, use cash :)

This was great! How about another video about RFID technology?

Since 2003? We're just now VERY recently starting to get chips here where I live in USA.

I'm taking an IT class at my high school. This channel inspired me!!!

would love to see a similar video on "tap" (NFC) fraud via wireless

This is the best youtube channel !! For real !!

Eh.. I prefer Fish and Cushion tbh.

Superb video guys. Keep it up

I remember when I was in the military they would warn us about these relays at ATM's and how to spot counterfeiting hardware. Now that I know what's possible it freaks me out everytime I use an ATM. Plus, many credit cards now have the chips but not all stores are required to operate using those chips. As long as that is possible, counterfeiting will remain fairly easy - despite these sophisticated chips.

Great video. Very informative. Love uni. Of Nottingham !

...and here I thought the little gold chip in my debit card was supposed to be more secure than the black stripe but it sounds like it's actually less. Or did I misunderstand?

Very good and informative video.

MORE from this guy!!!!!

Nice simple and clear.

Great video, very interesting

RIP Professor Anderson 😢

Great video.

So what are the mitigations around NFC relaying. It seems like they are just as vulnerable as chips, unless there are some workarounds using maximum latency. I would assume they are fairly lucrative as they do not require PIN number under certain amount of purchase.

7:20 This is why you should always get the receipt for absolutely everything every time and KEEP IT. At least then you have proof that you've been lied to.

Why are authorization codes from chip+signature compatible with chip+pin protocol? Or did I miss something from that explaination at 4:45?

Thanks you skim lord for for having the best with your cc

You don't even need that these days thanks to PayWave. Now all you need is a wireless POS machine registered to a company called something like "administrative fee", program the machine to withdraw a small amount, like a couple of pounds, then walk through a train passing it near people's pockets and handbags. You can do that to hundreds of people in a day, make thousands of bucks and when people check their bank statements (if they even bother to check their bank statements) all they see is a tiny transaction labelled "administrative fee" and think nothing of it.

What about the dangers of these machines that you can just hold your card against and it will do the transaction without even needing a PIN. I would love to learn more about those machines. I find them... scary

Wasn't aware of these more than "check the sum on the machine and always demand a receipt" and "watch the atm for suspicious devices/components". Of course then came the proximity "swipe" transaction or whatever and people were just scanned from their pockets in night clubs.

Pretty impressive book collection

Thanks Prof

Will mobile payments solve many of these problems? I've used mobile payments whenever I can for the past 2 years or so, but I have just moved to Samsung Pay which is, besides NFC, compatible with mag-stripe and chip-and-pin terminals. A pseudo card number and tokenization would be more difficult to forge, right? I have difficulty thinking of ways to forge the pseudo card and tokenization method.

thank you for this

I wish more people subscribed to this channel.

Shim -- A washer or thin strip of material used to align parts, make them fit, or reduce wear (Oxford)

Great speaker!

Man... I really want to be as knowledgeable as this guy some day.

The funny thing about the last attack he mentioned, you can always refute the charges if you ask for a receipt. It's not likely the evil verification boxes are going to print out a receipt that shows the charges being fed to the bank. Either way, they're hosed.

Where can I find an article that talks about the fraud that happened between Dubai, Karachi and the UK?

want to know more about designing protocols from security standpoint, thanks.

Wow! So how do you get around this? Is there any way of ensuring you don't get had? Does Ross use a card?

Oh, nice to know that he had some experience in Vilnius Lithuania, my town :D

Is there a link to the story Ross mentions between 3:08 - 3:45?

are pay by phone more secure or less... like how easy is it for someone to clone your phone sim-card and other unique information sent by your phone when making a purchase.

how about using a phone like samsung pay, apple pay and android pay etc are they safe?

Well, it seems as if there's not much, if any advantage over a magstripe. Is there any solution other than simply not owning one?

please make more videos about security frauds and stuff alike.

I got a new card...from now I use cash internationally and shady small-store businesses. 300 dollars gone from my account at an atm machine from another state in the U.S. And I still had possession of my card. This video made me more aware that there are smart criminals out there. Thank you.

Slim Shim (two sided flexible sim card with which both sims can sit in the one phone), that then sits between the card reader and the bank card (rigged to lie to both).... what a literal man-in-the-middle attack.... so literal.

Great video, I just wish he had covered his ideal solution or fixes to these attacks... or perhaps what the future holds. (Part 2??)

The one thing I don't understand is... Isn't every issue he mentioned also an issue with magnetic stripe transactions?

cool to highlight the problems. solutions would be nice though too :D

What about the "pay-wave" wireless card technology any fraud there we should be worried about?

And what about the contactless payment skimming that is now going on as well?

Wait a minute, wait a minute, I thought the whole point of chip cards is that the communication is encrypted? The data sent across the wires that are being tapped with these techniques should not contain the user's information plaintext, it's private-key encrypted and hashed against the clock, so why are these attacks working? Is this an older version of the technology that sends the data plaintext? I can see how the third example, with the false-card inbetween could work, but that will be fixed in the future as soon as credit card companies get with the times and stop allowing signature transactions. The other two, though, shouldn't be able to work as the technology works right now.

Can we have a video about those slim shims? Those sound cool on their own!

I like this guy. Hes very clear.

A 'shim' is a very thin piece of material that is inserted to make very fine adjustments to positioning. It's got nothing to do with shimmying as in dancing.

With due respect to the professor, he's completely, utterly missing the main point of why EMV/chip-card authentication is an important step forward over using magnetic stripes to do transactions.. Which is simply this: To pull off the attacks he describes against chip cards a bad guy has to physically alter the merchant's reader/terminal that talks to the chip on the card. On the other hand, with the way that magnetic stripe cards are still processed by many merchants today a bad guy that can hack into a store's Point-of-Sale machines can steal your credit/debit card info remotely, from anywhere in the world. Which is exactly how the huge breaches at Target, Home Depot, Kmart, and many other retailers here in the U.S. over the past few years happened.

0:40 ah good to hear...listening further then...

I take from this that there could go *a lot* more work into ensuring that the EC-technologies they want to throw onto the market are actually somewhat safe. Though they still keep messing it up again and again.

I though Chip & PIN was a UK bank association name created after the initial issuance of EMV cards without PIN as a PIN marketing education campaign. Isn`t the global name of the chip card technology specified by the EMVCo consortium, for its payment network members really EMV. And Chip & PIN just a local terminology used in the UK? Also I thought chip cards leveraging PIN authentication were globally issued since early 90s in countries like France before UK adopted them with the EMV standard at the turn of the century? Thanks for your analysis on EMV fraud issues.

A friend of mine worked at a Taco Bell about 5 years ago. She said the CC machine somehow got stuck on one guy's CC @ the drive through, and every time she swiped someone's CC, this one guy from before's CC info would go through and pay for everyone's order after him. It was like this one guy's CC info got stuck in the memory, and was reactivated every time she swiped a new customer's card. This guy ended up paying for dozens of people's orders before it got noticed!!!!

Very interesting. What is Apple Pay going to change about this in your opinion? Is it going to be more safe or are there different ways to hack Apple Pay? Looking forward to your answer Brady and Mr. Anderson.

Snap into a slim sim!

Would mobile payments like Android and Apple Pay be more or less secure?

@josefsson no not necessarily ; withdrawals can be made if you're using an account from which you can loan money ((names differ by country))

What happened to the next step in security that was advertised in the early '00's because even in the ,'90's it was known the chips are already defeatable. And we have plenty of guys on Tube that recommend removing the chips and going back to the swipe, along with a common thing now is doing a triple ( because so many people refuse to wait the 5-10 seconds, before putting a chip card in to give the cashier time to use the program to make ready for the card. They jump ahead, while things are still being rung in, as fast as possible, slip the card in, and get angry that the transaction isn't completed the very moment a last item is scanned. So we then have to do the 'triple'. Remove the card, wait, re- insert( wait for the error response), remove, wait, re- insert(..error response), remove, then, swipe,..and the card gets approved. All because people refuse to apply a little patience. And of course, if it's a rigged reader, the bad guys were just now given 4 chances to get info off their cards. This ( the 'triple')happens over and over again everyday. Things on their mind, new card( why it's like a new toy, it's remarkable, let's play), just plain immature users..? CXO blogs list all this stuff we have had for next steps, for years, yet we're still only at chips. What's wrong with the processes applicable on this.

Is Apple Pay with a credit or debit card on a iPhone safer than using the physical debit card as it’s a new technology or is it just a vulnerable?

Where I work (most transactions >£100) the card machines reject swipe unless the chip can't be read properly, if you stick the card in the wrong way 3 times it'll automatically switch and ask the customer to swipe it. Really easy to do low-key. Not quite as advanced as the methods in the video but it's pretty scary to think that somebody could pick up my card off the floor and rack up £1000's (assuming I wasn't broke lol) with little more than a few seconds fiddling, before I even knew I'd lost it.

Nice video

Chip & Pin is still relatively secure though -- at least, it's more secure than the RFID tags that they keep insisting on putting in bank cards here in Canada....

No matter what the system, if there is enough money to make the effort worthwhile, it will be hacked/cracked. Cash can be counterfeited, and you are out that money if you are caught with it, the bank isn't going to refund you that money. All that can really be done is make it more difficult to do so. Usually by adding "friction" to the transaction, longer pins, sms verification at the point of sale, bio-metrics and more complex protocols. At the end of the day it is a cost of doing business conveniently, which ultimately gets passed on to the consumer somewhere down the line.

Would it not make sense to eliminate chip and signature entirely to prevent some of this?

So… what's the solution? If one can't trust hardware, and one can't trust a bank to have my back, what's to do? My bank doesn't even have the chip. The store I work at doesn't take chips. Should I be shopping only at places that take Apple Pay?

Clever tactics used. I tend to use cash where it's an unknown place. Who knew these terminals would be dodgy from manufacturer (like text your details to Karachi).

Which one is safer? NFC or chip n pin?

You know you're early when there's no dislikes

I have always found it strange, that here in Germany, there is no way a cash machine would give you a receipt of the amount you just withdrew from your bank account. There is no paper and no print function in the cash machine anyway here. Whereas in all the other countries that I visited (UK Spain Netherlands Poland etc) I automatically got a printout of the amount withdrawn.

The one thing I thought would be helpful was Transaction: machine asks card for bank info machine reads LAST transaction signature from card machine gets pin machine asks bank if card is valid based on info and last transaction; all encrypted to high hell machine authorizes transaction, and saves new signature to card. If someone skims it then the card gets burnt when the last transaction doesn't match what the card thinks. If they man-in-the-middle it can't write the correct signature to the old card.

wasn't there a thing once upon a time where an barlcleys atm was hacked and huge sums of money was stolen? I just started uni in uk, and I still don't know the safest places to cash out...

well, they sort of ban mythbuster do an episode on this right?

And they wonder why I always pay in cash.

what about rfid (nfc)?

Nice!