Security researchers from Cambridge University have discovered a way to attack chip and PIN cards--and warn no cardholders are safe from the exploit.
Since the introduction of mandatory chip and PIN cards in the United Kingdom, banks have increasingly turned down fraud victims claiming compensation on the grounds that such chip-embedded smartcards cannot be cloned.
Chip and PIN has been heralded as the way forward for card security, with Westpac recently issuing them to customers, and with more banks set to roll out the cards once compatible terminals become more widely deployed in Australia.
However, Cambridge PhD students and security researchers, Steven J. Murdoch and Saar Drimer, showed at a recent conference in Germany that the cards do not need to be cloned to be compromised--a situation that has ruffled the feathers of banks, which rely on the U.K.'s Banking Code of Practice to deny compensation claims if the fraud victim has been deemed to have compromised the security of their card.
The ability to reject such claims relies on the presumption that cloning is the only manner in which fraud can occur on the smartcard, which, according to U.K. banks, is simply impossible.
"The banks have made grand claims of security [about chip and PIN]. It was said to be a safer way to pay but when you speak to the banks as a victim of fraud, they say there is no way to clone the chip and PIN card," said Murdoch.
"What I'm going to show is that you don't need to clone it in order to attack the system," he said.
By first tampering with a chip and PIN terminal, Murdoch uses a "relay attack" to capture authentication information sent from a merchant's point of sale terminal to the bank.
The attack requires the involvement of at least two people for it to work, and once the information is obtained, the fraudulent transaction must occur within the time that the legitimate cardholder's card is being read by the terminal.
While cloning is impossible, as banks have claimed, Murdoch shows how cardholder authentication can be spied on via the compromised terminal and then the details transmitted over Bluetooth, GPRS or GSM networks to another person who then completes a fraudulent transaction.
"Because the card knows a secret, I have no way of cloning that. But I can ask questions just like a terminal can ask [the card] questions. When I get the answer, I simply pass it on. I get an answer from a real card and pass it to a real terminal," Murdoch explained.
The analogy he uses is a chess game against a chess grand master conducted on a computer.
"There's no way I could beat a chess master. But one way to do this is by challenging two grandmasters and playing them simultaneously. So when one makes a move, I apply that move to the other game. At worst, I will draw, but I will play a good game and I will win against at least one of them," he said.
Although Murdoch alerted the banks to this possible exploit a few years ago, he says the idea was dismissed as a joke.
"The banks' general response to this, and, in fact, to everything we do, was that the people from Cambridge are very smart and we find it very amusing but these are lab conditions and it's not going to work in the real world," said Murdoch.
A possible café scenario
The example used by Murdoch occurs in a café and a bookstore located a few meters away, and begins when an unsuspecting victim pays for his coffee using his chip and PIN card.
For the scam to work, Murdoch admits it requires an insider to tamper with the payment terminal. "There have been plenty of frauds where that has happened. For example, a waiter could do this," he said.
With the right equipment, the victims' details could be gathered and sent over wireless networks to a co-conspirator nearby, who makes a transaction using those details while the victim is making a transaction of their own. "In [our example], the two shops were one door away from each other. That worked pretty well but you could do with GPRS or GSM and send to the other side of the world," Murdoch explained.
Can the attack be prevented?
Murdoch offers four suggestions to remedy this vulnerability: make the terminal tamper-resistant, physically examine the card to check for wires which can indicate this type of fraud is being carried out, ensure that the numbers embossed on the card match the receipt, or finally, impose timing constraints on the authentication as, for the attack to work, the fraudulent transaction must occur during the time in which the legitimate transaction is happening.
"That is, making sure that the real card responds [to the terminal] within a certain time period. This is good start because no information can travel faster than the speed of light. And if you can measure the distance between the real card and real terminal, if this is more than a few centimeters, then something is wrong," he said.
According to his and Drimer's research, the authentication process under the chip and PIN authentication protocol can take up to three seconds to complete.
"This is huge. [At the speed of light] you can go round earth three times and to the moon but you can't quite get to Mars, so Martian smartcards are safe," he said.
"It's not even possible with existing smartcard protocol to reduce the timing requirement to a sufficiently low level that this attack doesn't work," he said.
The problem can however be fixed by what the scientists call a "distance bounding protocol" which uses a smaller and faster "one bit challenge and a one bit response".
The proposed protocol works by the bank sending a single bit challenge to a legitimate card to unlock the encryption key which both parties have.
"The response that comes back can only be given by real card," explained Murdoch. "So even in a relay attack the right data will come back but it will be too slow."