RSS Feed

“I’ve got a customer”

February 10, 2007 by Saar Drimer

A few weeks ago Steven J. Murdoch and I released a video of a Chip & PIN terminal playing Tetris (YouTube version). Back then, I alluded to the fact that this is just a small part of something grander. We were working on an experiment that showed a particular vulnerability Chip & PIN is prone to. This is important because banks now maintain that if the PIN was used, then the customers must prove they were not negligent, which is impossible (given that they do not have access to the evidence and no way to show that no one has been looking over their shoulder, for example). Therefore, due to at least one way of defrauding customers who clearly have not been negligent with their PIN, they should be reimbursed.

saar drimer, steven murdoch on watchdog bbc1Anyway, there is a somewhat of a technical article on ZDNet, with more info here, and Steven dissecting an insulting response from the Financial Ombudsman Service to a customer who seeks to know on what grounds he has been refused a refund.

What was missing from the media hype over this is what is included in the academic paper. In it, not only do we describe the attack in detail, including background, we also describe and implement a defense against it called “distance bounding”, which is the main contribution.

In addition, we spilled the beans on prime-time TV here on the island’s BBC1, in a program called “Watchdog“, which is a popular and long running consumer-watch program. This was quite an experience and I learned a lot from it. We spent about 11 hours with the crew, with the outcome of about 2 minutes of us appearing and a not-so-clear representation of the attack. Sigh. Before all this, I thought TV was evil; let’s just say I have not changed my mind.

I cannot post the video publicly (it would probably infringe on someone’s rights) but if you’d like to see yours truly say the line in the heading of this post on TV, email me at <first name><last name>

UPDATE: Someone has posted the segment on YouTube, here. If you want a better quality version, email me.


  1. Vince says:

    Saar, that’s rockstar! You’re awesome. And that program is way better than any trashy “investigative journalism” shitte that they put on the air stateside. I liked how the guy grilled the rep at the end of segment. He might as well as said, “Shut up, you idiot. PINs don’t keep people’s money safe, didn’t you watch the segment? Now get off your fat, lazy arse and do something about it!”

    I admit though that I’m disappointed that you’re using your powers for good, not evil. I hope at a minimum that you Steve kept the books :-)

  2. Saar Drimer says:

    Vince! You are funny.

    Thanks for reminding me. The books purchased were:

    The Burden of Proof (on the cover it also said, “author of Presumed Innocent”!)

    …and a tome on criminology.

    Unfortunately, this “joke” wasn’t shown.

    The BBC paid, not us, and I think they didn’t take the books and were refunded for the 50 GBP.

Leave a Reply

Your email address will not be published.