Problems obtaining cash from German ATMs - Update
Source: dpa Over the weekend, large numbers of customers of the leading multi-channel German bank Postbank had problems withdrawing cash from cash points using EC cards and other debit/credit cards containing EMV chips. A Postbank spokesperson told the Deutsche Presse-Agentur (dpa) that some cards were rejected by the ATMs, but that the ATMs themselves had worked flawlessly. Experts are now investigating why cards were rejected.
Yesterday, Postbank spokesperson Hartmut Schlegel, although unable to say how many customers had been affected, did say the problem is not limited to Postbank. Schlegel said Germany's Zentrale Kreditausschuss (ZKA) banking industry association is to release a statement on the issue today.
EMV technology is intended to prevent illegal copying of cards using skimming techniques and to replace the traditional magnetic strip. The EMV procedure uses cryptographic methods to enable card terminals to verify a card's veracity and to communicate with it. There are currently three different security procedures for real time card checking: Static Data Authentication (SDA), Dynamic Data Authentication (DDA) and Combined Dynamic Data Authentication (CDA). The banking industry primarily employs SDA and DDA in its cards.
With SDA, a combination of fixed card data is signed using an RSA key belonging to the issuer. Since this signature is static, it can be introduced during chip manufacture, thus reducing costs. SDA chips are, however, unable to perform certain cryptographic operations. When checking a PIN offline, where no direct connection to the card issuer's system can be established, the PIN entered at the ATM is sent to the card for verification in plain text.
SDA chips are widely used in the UK, where skimmers are already exploiting this vulnerability. In order to obtain PIN and card data, they eavesdrop on communications between the terminal and the card. This requires the use of a special device, inserted between the card and the terminal – i.e. over the card slot. The fraudster can then write the stolen data to a magnetic strip on a card of his own making and then, since he also has the PIN, hit the shops.
One of the reasons this kind of fraud is possible is because points of sale still have to support cards with magnetic strips. As a result, the more secure DDA chips used in Germany also still fail to offer 100% security, since, in order to be able to withdraw cash and make payments in countries where the EMV standard is not supported, the cards still include a magnetic strip, which can be copied. However, since 2005 the credit card industry has held the non-EMV-capable partner liable for losses from fraud – this may be the bank or shop where a cloned card is used.
Update - The ZKA have announced that the problem has been resolved with all Girocards (formerly EC-card) and German cash machines. The problem was caused by a certain type of chip used in production of the cards which contained a software error in the processing of the year 2010. The problem is being fixed by reconfiguring ATMs and point of sale terminals to work around this software error in the cards.
- Manipulated ATMs, a feature from The H.