A group of researchers from Cambridge University have discovered two critical flaws in the “Chip and PIN” (EMV) smart card payment system that can be misused to “clone” cards so effectively that normal bank procedures won’t spot the fake.
“Payment cards contain a chip so they can execute an authentication protocol. This protocol requires point-of-sale (POS) terminals or ATMs to generate a nonce, called the unpredictable number, for each transaction to ensure it is fresh,” the researchers explained.
“The payment terminal executes the EMV protocol with the chip, which exchanges selected transaction data sealed with a cryptographic message authentication code (MAC) calculated using a symmetric key stored in the card and shared with the bank which issued the card.” The user is verified by using the PIN.
EMV is considered to be a safer option than the “card swipe” payment system typically found in the US, but it’s not full-proof. In fact, research teams from Cambridge University have discovered other vulnerabilities of the system in the past years.
This time, they discovered that some ATMs generate poor random numbers, which can be easily predicted and could be used to compute the authentication codes needed to draw cash from that ATM at a later time.
This type of “pre-play” attack would be “indistinguishable from card cloning from the standpoint of the logs available to the card-issuing bank, and can be carried out even if it is impossible to clone a card physically,” proving that in at least some of the fraud cases, the card owners weren’t responsible for or complicit in the fraud, and should have been given a refund.
The second issue that they have discovered is a protocol failure that would allow malware in an ATM or POS terminal, or a a man-in-the-middle between the terminal and the acquirer, to carry out the pre-play attack, just by replacing the random generated number with one chosen by the attacker.
These flaws have been discovered over two years ago, and bank industry organizations have been informed in early 2012. In the meantime, only the first flaw has been addressed.
“We are now publishing the results of our research so that customers whose claims for refund have been wrongly denied have the evidence to pursue them, and so that the crypto, security and bank regulation communities can learn the lessons,” they noted.
“For engineers, it is fascinating to unravel why such a major failure could have been introduced, how it could have persisted undiscovered for so long, and what this has to tell us about assurance. At the scientific level, it has lessons to teach about the nature of revocation in cryptographic protocols, the limits of formal verification, and the interplay between protocol design and security economics.”
The group presented their research on Monday at the 2014 IEEE Symposium on Security and Privacy. For more details about the attacks, check out their paper.