Bank card attack: Only Martians are safe

Bank card attack: Only Martians are safe

Summary: Security researchers from Cambridge University have discovered a way to attack chip and PIN cards -- and warn only Martian cardholders are safe from the exploit.

SHARE:
8

Security researchers from Cambridge University have discovered a way to attack chip and PIN cards -- and warn only Martian cardholders are safe from the exploit.

Since the introduction of mandatory chip and PIN cards in the UK, banks have increasingly turned down fraud victims claiming compensation on the grounds that such chip-embedded smartcards cannot be cloned.

Chip and PIN has been heralded as the way forward for card security, with Westpac recently issuing them to customers, and with more banks set to roll out the cards once compatible terminals become more widely deployed in Australia.

However, Cambridge PhD students and security researchers, Steven J Murdoch and Saar Drimer, showed at a recent conference in Germany that the cards do not need to be cloned to be compromised -- a situation that has ruffled the feathers of banks, which rely on the UK's Banking Code of Practice to deny compensation claims if the fraud victim has been deemed to have compromised the security of their card.

The ability to reject such claims relies on the presumption that cloning is the only manner in which fraud can occur on the smartcard, which, according UK banks, is simply impossible.

"The banks have made grand claims of security [about chip and PIN]. It was said to be a safer way to pay but when you speak to the banks as a victim of fraud, they say there is no way to clone the chip and PIN card," said Murdoch.

"What I'm going to show is that you don't need to clone it in order to attack the system," he said.

By first tampering with a chip and PIN terminal, Murdoch uses a "relay attack" to capture authentication information sent from a merchant's point of sale terminal to the bank.

The attack requires the involvement of at least two people for it to work, and once the information is obtained, the fraudulent transaction must occur within the time that the legitimate cardholder's card is being read by the terminal.

While cloning is impossible, as banks have claimed, Murdoch shows how cardholder authentication can be spied on via the compromised terminal and then the details transmitted over Bluetooth, GPRS or GSM networks to another person who then completes a fraudulent transaction.

"Because the card knows a secret, I have no way of cloning that. But I can ask questions just like a terminal can ask [the card] questions. When I get the answer, I simply pass it on. I get an answer from a real card and pass it to a real terminal," Murdoch explained.

The analogy he uses is a chess game against a chess grand master conducted on a computer.

"There's no way I could beat a chess master. But one way to do this is by challenging two grandmasters and playing them simultaneously. So when one makes a move, I apply that move to the other game. At worst, I will draw, but I will play a good game and I will win against at least one of them," he said.

Although Murdoch alerted the banks to this possible exploit a few years ago, he says the idea was dismissed as a joke.

"The banks' general response to this, and, in fact, to everything we do, was that the people from Cambridge are very smart and we find it very amusing but these are lab conditions and it's not going to work in the real world," said Murdoch.

Being stung with a £55 latte
The example used by Murdoch occurs in a café and a bookstore located a few metres away, and begins when an unsuspecting victim pays for his coffee using his chip and PIN card.

For the scam to work, Murdoch admits it requires an insider to tamper with the payment terminal. "There have been plenty of frauds where that has happened. For example, a waiter could do this," he said.

Topics: Security, Emerging Tech

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments
Log in or register to join the discussion
  • Martian banks

    I didn't know there were banks on Mars, I bet they have better interest rates than us though.
    anonymous
  • Martian banks & real estate

    I don't think real estate is worth as much up there, so the interest rates don't matter as much :D
    anonymous
  • COOL

    Awesome comment man! U rock!!! If u r a girl, too bad 4 u!!! :D
    anonymous
  • TOTALLY

    I totally agree with u man!! And no Im not a hippie! HMPH!!! LOL
    JK I am a hippie.... NO REALLY JK!!! IM NOT A HIPPIE PERIOD.... OR AM I? NO JK!!!!!!!!!!!!!!!
    anonymous
  • HEY

    ISNT TODAY THE 14th??? Cause... NEVER MIND!!!
    FART ON U!!!!!!!!!!!!!!!!!!!!!
    anonymous
  • Yo

    Hey Bob! Yo! This is Jo! I miss ya totally man
    anonymous
  • HEY JOE

    Hey Joe, are u ther man? :)
    anonymous
  • Hmmm

    You guys are idiots
    anonymous