Chip-and-PIN flaw blamed for cloned bank cards

Chip-and-PIN flaw blamed for cloned bank cards

Summary: Cambridge security researchers have discovered serious problems with how ATMs authenticate transactions, though an industry group has shrugged off the method as too complex for scammers to use.

SHARE:
TOPICS: Security, Banking
10

Security researchers say they have found a vulnerability in the ubiquitous chip-and-PIN system that could effectively allow bank cards to be cloned.

In a paper (PDF) presented to a cryptography conference in Belgium on Tuesday, the University of Cambridge researchers said the flaw undermined banks' claims that the chip-and-PIN or 'EMV' system was prohibitively expensive to clone.

Chip and PIN
Security researchers say they have found a vulnerability in the ubiquitous chip-and-PIN system.

"We can now explain at least some of the increasing number of frauds in which victims are refused refunds by banks which claim that EMV cards cannot be cloned and that a customer involved in a dispute must therefore be mistaken or complicit," the researchers said in the paper's abstract.

The researchers said their work began after hearing of the case of a Mr Gambin, "a Maltese customer of HSBC who was refused a refund for a series of transactions that were billed to his card and which HSBC claimed must have been made with his card and PIN at an ATM in Palma, Majorca on the 29 June 2011".

Method

The chip in an EMV card is there to execute an authentication protocol, and is itself very difficult to clone. However, the authentication process also relies on the merchant's point-of-sale kit, or an ATM, generating a completely random number to prove the uniqueness of the transaction.

Ross Anderson, one of the paper's authors, told ZDNet on Wednesday that this number should ideally be generated by the banks themselves, but was instead down to the merchant terminals or ATMs due to a willingness to "cut corners" during the EMV protocol's design stage, more than a decade ago.

The problem has to do with the actual randomness of the generated number. In half the ATMs and merchant terminals the academics studied, the numbers were generated through counters or timestamps — neither of which result in randomness at all and are therefore predictable — or poorly-conceived, home-brewed algorithms.

"If you can predict [the number], you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location. You can as good as clone the chip," researcher Mike Bond wrote in a blog post.

According to Anderson, the flaw could be exploited by sending a crooked former BT engineer down a manhole next to a jewellers in order to manipulate the communications between the merchant terminal and the bank, but a far more realistic proposal would be to infect the merchant terminal with malware.

"We already have reports of big banking botnets checking to see if the PC they've infected is working in a merchant system," Anderson said. "They do this to steal credit card numbers — it's an established modus operandi.

"If you've got a botnet of a million infected machines, of which 500 are merchant terminals, you can have a more sophisticated exploit path. You could capture transactions at high volume and cash out at high-value places."

Industry response

The researchers disclosed their findings to the UK banks at the start of the year, and Anderson said he believed the banks were testing better random number generators and potential improvements to point-of-sale systems.

"Today there is absolutely no evidence this has happened or is happening in the UK" — Mark Bowerman, UK Payments Administration

However, Mark Bowerman, a spokesperson for the UK Payments Administration, suggested to ZDNet that the exploit methodology was too complex to be widely used.

"It sounds plausible although highly technical and convoluted, so the attractiveness to the fraudsters is questionable from that perspective," Bowerman said. "Today there is absolutely no evidence this has happened or is happening in the UK."

Indeed, the paper highlights cases in Spain, Poland, the Baltics and Belgium, but not in Britain. Nonetheless, Anderson said the "fact that such attacks have been seen in more than one European country suggests there's some kind of crimeware that will support this type of attack".

Customer refunds

Anderson also suggested that UK banks were much less likely than those in, for example, the Netherlands, to refund customers who had been ripped off in this way.

He said the UK had inadequately implemented the EU Payment Services Directive, relying on a Financial Services Ombudsman that "doesn't understand technical evidence at all".

The researcher also said that banks faced with fraud claims of this kind should compare the issuing bank reference with the merchant reference to detect potential manipulations, but do not.

UK Payments' Bowerman retorted that "the overwhelming majority of people who are innocent victims of card fraud get their money back in full from the bank".

"If the numbers were as significant as Professor Anderson was claiming, then there'd be a huge public outcry over it," Bowerman said. "If banks were routinely rejecting victims simply by saying the correct PIN or genuine card was used, then we'd agree with him, but we don't believe it's happening at all in the numbers that he claims."

Topics: Security, Banking

David Meyer

About David Meyer

David Meyer is a freelance technology journalist. He fell into journalism when he realised his musical career wouldn't pay the bills. David's main focus is on communications, as well as internet technologies, regulation and mobile devices.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments
Log in or register to join the discussion
  • I'm suprised

    Even some viruses these days are amazingly complex, obviously not written by script kiddies. I am suprised they are calling this issue "unattractive to fraudsters". I mean really, once they iron it out, they are all set. I'm sure there a quite a few people that will go through the trouble to pull it off to make some dough. And the ignorance of the higher ups are going to allow them to do so.
    daves@...
  • Head in the sand

    "...the flaw could be exploited by sending a crooked former BT engineer down a manhole next to a jewellers in order to manipulate the communications between the merchant terminal and the bank, but a far more realistic ..."

    Most BT employees are neither well paid nor so impressed by their employers as to be incorruptible. I'm not suggesting BT staff are any worse than in other organisations but let's be realistic, everyone has their price and if you are badly paid and in debt, a few thousand 'inducement' looks very attractive.

    Organisations will spend fortunes providing secure premises with biometric access restrictions and then give local and/or remote access to people who are paid little more than minimum wage. Thousands of *lows paid* UK civil servant have access to individuals; tax information, health records, vehicle details and more. Most, I suspect the overwhelming majority, are good honest folk but it only takes *one* person to be corrupt or careless and the security of millions is blown. There is much focus on physical and software security, there is little given to human security. As for vetting, lie detectors, etc. - how many of the world's security services have been betrayed by their own, thoroughly checked employees?

    Get real - just about nothing involving people is secure. If not for the money, how many people will resist the coercion of threats of harm to themselves or family?
    SheridanH
  • We see this over and over and over.

    >>> due to a willingness to "cut corners" during the EMV protocol's design stage, more than a decade ago.

    Taking a shortcut using 2 digits for year caused millions and millions of dollars spent to insure no Y2K failures to things like this that put billions of cards at risk. Doesn't anyone think further ahead than getting one project done so they can jump to the next. Don't managers/project managers think beyond their immediate metrics for getting a project done?

    >> should compare the issuing bank reference with the merchant reference to detect potential manipulations

    Good tip to know in case you have a problem.
    wingnut1024
  • Merchants??

    Does no one ever think that the merchant could co-operate with the fraudster.

    Like allow them to put a little malware on their device, or tap in to their wireless network, and get the card details will just flow out.

    Funny how the banks seem happy to blame their customers for giving up their own data, but not the merchants.
    dafyddtaylor
  • As Bruce Schneier Has Said...

    Attacks can only get better, they never get worse.
    ldo17
  • Don't trust the UK banking system anyway.

    These are the tools that ripped old people off, and sold insurance to people who couldn't use it or need it.

    They went to court to defend both of those practices and lost both cases.

    And what kind of excuse is "not enough people are complaining for the media to pick up on it" anyway.
    Bozzer
  • Article is scaremongering - MagSwipe is the elephant in the room

    The article is scaremongering - as the Chip and PIN organisation have said, nothing it 100% secure. The flaw is a theoretical one, and takes some convoluted effortwith bespoke IT kit to exploit and cannot bereally done at any point of sale.

    Regardless of a few minor flaws, Chip and PIN is still a million times better than Mag Swipe which is still in use in many places arounbd the world and remains easy to skim numbers and clone cards.

    Eliminating MagSwipe would provide a much better benefit to end users.
    neil.postlethwaite
    • Hacked

      I may share or sell the How to's. Dunno yet
      Tom Ripley
  • You should be worried

    Not necessarily by the potential risk as much as by this attitude "However, Mark Bowerman, a spokesperson for the UK Payments Administration, suggested to ZDNet that the exploit methodology was too complex to be widely used." So because they think it's too much bother they're happy to let the risk hang ... it's this kind of underestimation of reality that means you should worry about what else they've left hanging.
    Pastabake
  • EMV Reader Writer Software

    We are in 2014 guys ! we can find all we wath new like this EMV reader Writer software theat i have find on 1Click on google http://www.emv-global-solution.com/product/emv-readerwriter-v8/
    RichardMar