Chip-and-PIN flaw blamed for cloned bank cards

Cambridge security researchers have discovered serious problems with how ATMs authenticate transactions, though an industry group has shrugged off the method as too complex for scammers to use.
Written by David Meyer, Contributor

Security researchers say they have found a vulnerability in the ubiquitous chip-and-PIN system that could effectively allow bank cards to be cloned.

In a paper (PDF) presented to a cryptography conference in Belgium on Tuesday, the University of Cambridge researchers said the flaw undermined banks' claims that the chip-and-PIN or 'EMV' system was prohibitively expensive to clone.

Chip and PIN
Security researchers say they have found a vulnerability in the ubiquitous chip-and-PIN system.

"We can now explain at least some of the increasing number of frauds in which victims are refused refunds by banks which claim that EMV cards cannot be cloned and that a customer involved in a dispute must therefore be mistaken or complicit," the researchers said in the paper's abstract.

The researchers said their work began after hearing of the case of a Mr Gambin, "a Maltese customer of HSBC who was refused a refund for a series of transactions that were billed to his card and which HSBC claimed must have been made with his card and PIN at an ATM in Palma, Majorca on the 29 June 2011".


The chip in an EMV card is there to execute an authentication protocol, and is itself very difficult to clone. However, the authentication process also relies on the merchant's point-of-sale kit, or an ATM, generating a completely random number to prove the uniqueness of the transaction.

Ross Anderson, one of the paper's authors, told ZDNet on Wednesday that this number should ideally be generated by the banks themselves, but was instead down to the merchant terminals or ATMs due to a willingness to "cut corners" during the EMV protocol's design stage, more than a decade ago.

The problem has to do with the actual randomness of the generated number. In half the ATMs and merchant terminals the academics studied, the numbers were generated through counters or timestamps — neither of which result in randomness at all and are therefore predictable — or poorly-conceived, home-brewed algorithms.

"If you can predict [the number], you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location. You can as good as clone the chip," researcher Mike Bond wrote in a blog post.

According to Anderson, the flaw could be exploited by sending a crooked former BT engineer down a manhole next to a jewellers in order to manipulate the communications between the merchant terminal and the bank, but a far more realistic proposal would be to infect the merchant terminal with malware.

"We already have reports of big banking botnets checking to see if the PC they've infected is working in a merchant system," Anderson said. "They do this to steal credit card numbers — it's an established modus operandi.

"If you've got a botnet of a million infected machines, of which 500 are merchant terminals, you can have a more sophisticated exploit path. You could capture transactions at high volume and cash out at high-value places."

Industry response

The researchers disclosed their findings to the UK banks at the start of the year, and Anderson said he believed the banks were testing better random number generators and potential improvements to point-of-sale systems.

"Today there is absolutely no evidence this has happened or is happening in the UK" — Mark Bowerman, UK Payments Administration

However, Mark Bowerman, a spokesperson for the UK Payments Administration, suggested to ZDNet that the exploit methodology was too complex to be widely used.

"It sounds plausible although highly technical and convoluted, so the attractiveness to the fraudsters is questionable from that perspective," Bowerman said. "Today there is absolutely no evidence this has happened or is happening in the UK."

Indeed, the paper highlights cases in Spain, Poland, the Baltics and Belgium, but not in Britain. Nonetheless, Anderson said the "fact that such attacks have been seen in more than one European country suggests there's some kind of crimeware that will support this type of attack".

Customer refunds

Anderson also suggested that UK banks were much less likely than those in, for example, the Netherlands, to refund customers who had been ripped off in this way.

He said the UK had inadequately implemented the EU Payment Services Directive, relying on a Financial Services Ombudsman that "doesn't understand technical evidence at all".

The researcher also said that banks faced with fraud claims of this kind should compare the issuing bank reference with the merchant reference to detect potential manipulations, but do not.

UK Payments' Bowerman retorted that "the overwhelming majority of people who are innocent victims of card fraud get their money back in full from the bank".

"If the numbers were as significant as Professor Anderson was claiming, then there'd be a huge public outcry over it," Bowerman said. "If banks were routinely rejecting victims simply by saying the correct PIN or genuine card was used, then we'd agree with him, but we don't believe it's happening at all in the numbers that he claims."

Editorial standards