Security researchers from Cambridge University have discovered a way to attack chip and PIN cards -- and warn only Martian cardholders are safe from the exploit.
Since the introduction of mandatory chip and PIN cards in the UK, banks have increasingly turned down fraud victims claiming compensation on the grounds that such chip-embedded smartcards cannot be cloned.
Chip and PIN has been heralded as the way forward for card security, with Westpac recently issuing them to customers, and with more banks set to roll out the cards once compatible terminals become more widely deployed in Australia.
However, Cambridge PhD students and security researchers, Steven J Murdoch and Saar Drimer, showed at a recent conference in Germany that the cards do not need to be cloned to be compromised -- a situation that has ruffled the feathers of banks, which rely on the UK's Banking Code of Practice to deny compensation claims if the fraud victim has been deemed to have compromised the security of their card.
The ability to reject such claims relies on the presumption that cloning is the only manner in which fraud can occur on the smartcard, which, according UK banks, is simply impossible.
"The banks have made grand claims of security [about chip and PIN]. It was said to be a safer way to pay but when you speak to the banks as a victim of fraud, they say there is no way to clone the chip and PIN card," said Murdoch.
"What I'm going to show is that you don't need to clone it in order to attack the system," he said.
By first tampering with a chip and PIN terminal, Murdoch uses a "relay attack" to capture authentication information sent from a merchant's point of sale terminal to the bank.
The attack requires the involvement of at least two people for it to work, and once the information is obtained, the fraudulent transaction must occur within the time that the legitimate cardholder's card is being read by the terminal.
While cloning is impossible, as banks have claimed, Murdoch shows how cardholder authentication can be spied on via the compromised terminal and then the details transmitted over Bluetooth, GPRS or GSM networks to another person who then completes a fraudulent transaction.
"Because the card knows a secret, I have no way of cloning that. But I can ask questions just like a terminal can ask [the card] questions. When I get the answer, I simply pass it on. I get an answer from a real card and pass it to a real terminal," Murdoch explained.
The analogy he uses is a chess game against a chess grand master conducted on a computer.
"There's no way I could beat a chess master. But one way to do this is by challenging two grandmasters and playing them simultaneously. So when one makes a move, I apply that move to the other game. At worst, I will draw, but I will play a good game and I will win against at least one of them," he said.
Although Murdoch alerted the banks to this possible exploit a few years ago, he says the idea was dismissed as a joke.
"The banks' general response to this, and, in fact, to everything we do, was that the people from Cambridge are very smart and we find it very amusing but these are lab conditions and it's not going to work in the real world," said Murdoch.
Being stung with a Â£55 latte
The example used by Murdoch occurs in a cafÃ© and a bookstore located a few metres away, and begins when an unsuspecting victim pays for his coffee using his chip and PIN card.
For the scam to work, Murdoch admits it requires an insider to tamper with the payment terminal. "There have been plenty of frauds where that has happened. For example, a waiter could do this," he said.