Chip and PIN is broken, say researchers

A flaw in the protocol underlying chip-and-PIN transactions allows an attacker to push through a purchase without a valid PIN

Chip-and-PIN readers can be tricked into accepting transactions without a valid personal identification number, opening the door to fraud, researchers have found.

Researchers at Cambridge University have found a fundamental flaw in the EMV — Europay, MasterCard, Visa — protocol that underlies chip-and-PIN validation for debit and credit cards.

As a consequence, a device can be created to modify and intercept communications between a card and a point-of-sale terminal, and fool the terminal into accepting that a PIN verification has succeeded.

"Chip and PIN is fundamentally broken," Professor Ross Anderson of Cambridge University told ZDNet UK. "Banks and merchants rely on the words 'Verified by PIN' on receipts, but they don't mean anything."

The researchers conducted an attack that succeeded in tricking a card reader into authenticating a transaction, even though no valid PIN was entered. In a later test, they managed to authenticate transactions, without the correct PIN, with valid cards from six different card issuers. Those issuers were Barclaycard, Co-operative Bank, Halifax, Bank of Scotland, HSBC and John Lewis.

The central problem with the EMV protocol is that it allows the card and the terminal to generate ambiguous data about the verification process, which the bank will accept as valid.

In particular, the terminal can record that a PIN verification has taken place, while the card itself receives a verification message that does not specify that a PIN has been used. The resultant authorisation by the terminal is accepted by the bank, and the transaction goes ahead.

This means that while a PIN must be entered, any PIN code would be accepted by the terminal, the researchers said in a paper entitled Chip and PIN is Broken.

The researchers said the engineering and programming skills necessary to make a man-in-the-middle device to conduct the attack are elementary.

"The attack doesn't require too much technical skill [to emulate]," said Steven Murdoch, who took part in the Cambridge University research, alongside Anderson and Saar Drimer.

Behind the attack
The attack targets the way the various security mechanisms interact in the cardholder verification process. In this process, the chip in the card and the terminal decide how to authenticate the transaction. The cards examined by the researchers all recognised as authentication, in descending order of preference: PIN verification; signature verification; and no verification.

The majority of transactions require PIN verification. The customer enters their number on a PIN entry device. The PIN is then sent to the card, which compares it to a PIN...

...that it stores on its chip. If the PIN is correct, the card sends a verification code — 0x9000 — back to the terminal, which completes the transaction.

The researchers succeeded in building a man-in-the-middle device that reads a card and — at the appropriate time in the verification process — sends a 0x9000 code to the terminal, regardless of the PIN that has been entered.

As a demonstration, the researchers inserted a genuine card into a standard smartcard reader from Alcor Micro, which was connected to a laptop running a Python script. The laptop was connected to an FPGA board via a serial link. The FPGA board the researchers used was a Spartan-3E Starter Kit, which was used to convert the interfaces for the card and PC.

The FPGA board was connected to a Maxim 1740 interface chip, which was linked via thin wires to a fake card, used for insertion in the terminal.

Once the fake card was inserted, the Python script running on the laptop relayed the transaction, suppressed the verify PIN command issued by the terminal, and responded with the 0x9000 code.

The researchers said that attackers could carry similar kit in a backpack, with the wires trailing down a sleeve, for use with a stolen valid card.

Consumer liability
Anderson noted that in disputed transactions, if the transaction has been verified by PIN, the liability for the loss rests on the consumer rather than on the bank or merchant.

The UK Payments Administration, which represents the interests of payments-card companies, said that the overwhelming majority of point-of-sale card transactions in the UK — over 90 percent — are conducted via chip and PIN. In 2008, UK debit, credit and charge cards were used to make 7.4 billion purchases worth a total of £380bn, but this includes all types of card transactions, the organisation said.

Mark Bowerman, spokesman for UK Payments Administration, acknowledged the Cambridge researchers' paper, but rejected their conclusions.

"We are taking this paper very seriously, as maintaining excellent levels of card security is paramount," he said. "However, we strongly refute the allegation that chip and PIN is broken."

There is no evidence that the type of attack outlined in the Cambridge paper is happening in UK shops, Bowerman noted. He added that the research will help the UK Payments Administration map out the direction criminals may move in.

Chip-and-PIN authentication has contributed to significant reductions in card-based scams, Bowerman said. "Last year, we announced that card fraud had dropped, and we are expecting next month's release of the full 2009 figures to follow this trend," he said. "Existing security practices are clearly working."