U.K. researchers devise smart-card hack

Saar Drimer and Steven Murdoch, members of the Cambridge University Computer Laboratory, demonstrated last month how they could modify a supposedly tamper-proof chip-and-PIN payment terminal to play Tetris.

They have now extended the hack to demonstrate how they can compromise the system by relaying card information between a genuine card and a fake one.

Chip and PIN, a government-backed initiative introduced last year in England, is a security measure in which customers must enter a four-digit code when they use a credit or debit card for face-to-face transactions. The measure replaces the magnetic strip with a chip and the use of a four-digit PIN. The card is placed in a device that authenticates the chip, and then a PIN is entered. Chip and PIN uses the EMV standard for smart cards. Similar but incompatible EMV systems are in use in other countries as well.

The Cambridge researchers argue that the system is not as secure as the banking industry claims.

"Chip and PIN currently does not defend against this attack, despite assertions from the banking community that customers must be liable for frauds in which the PIN was used," the researchers said in an as-yet-unpublished paper.

"When customers pay with a chip and PIN card, they have no choice but to trust the terminal when it displays the amount of the transaction. The terminal, however, could be replaced with a malicious one, without showing any outward traces," the researchers warned in their paper.

Details of the prototype attack were released Monday. In it, Drimer and Murdoch demonstrate how a chip and PIN system could be compromised to steal diamonds.

How the scam works
In the scenario, a customer attempts to pay a restaurant bill. He enters the card details into a terminal that looks real, but has actually been tampered with. It is not connected to a bank, but instead to a laptop in the restaurant.

The terminal is completely under the control of a criminal, who has modified the hardware to relay the card information to an accomplice's laptop, for example, in a jewelry shop across town. The accomplice's laptop can receive the information relayed from the legitimate card in the restaurant, and is connected to a modified bank card.

In the prototype system built by Drimer and Murdoch, the chip has been removed from the modified card, and wires to the card run up the sleeve of an attacker and connect to the laptop in a backpack. Such a setup could arouse suspicion, but the researchers believe it is possible to make the card more difficult to detect by using an RFID chip that could communicate wirelessly with the laptop.

The laptop is linked to the other laptop back in the restaurant by a GSM connection. Wi-Fi could potentially be used instead, the researchers said.

The victim places his card into the modified terminal and enters the PIN, and the criminal texts the accomplice at a jeweler's shop to start the heist. The accomplice enters the fake card into the jeweler's terminal. All transactions from the jeweler's terminal are relayed via the fake card, laptops and fake terminal to the legitimate card.

This links the jeweler's terminal to the victim's bank. As the criminal controls the terminal in the restaurant, he or she can make it display that the victim will pay $40, when in reality the victim is being charged $4,000 at the jeweler's for a diamond ring.

During this relay attack the criminal doesn't need to hack into any systems or run any decryption because data is simply being relayed from one terminal to another.

The researchers were unwilling to reveal too much of the technology behind the attack because they don't want their methods falling into the wrong hands. But they did say that they used a Field Programmable Gate Array--a semiconductor device containing programmable logic components and programmable interconnects--in the fake card.

Drimer claimed the fraud would be difficult for police to trace, as victims might only notice once they received a bank statement. They would need to remember where they were when the fraud occurred, as the transaction would show from the jewelry shop, not the restaurant.

"A criminal could have a fast turnaround from this type of attack--most likely it would not be detected," said Drimer.

Finding a fix
This kind of attack could be difficult to execute in practice. One problem is that the victim's card must remain inside the fake terminal for the duration of the transaction. Also, the accomplice cannot begin the transaction until the victim's card is being processed, which could arouse suspicion.

The researchers have developed methods to counteract this type of attack. They said that the most successful method is to extend the EMV protocol so that the terminal could detect how far away the real card is in the transaction.

They did this by adding an extra step to the method in which the cards talk to the terminal. Normally there's a cryptographic handshake--the terminal sends a random number to the card, the card encrypts the number with some other details, and sends it back to the terminal.

The extra step the researchers added is that the terminal sends the card a single bit challenge--a 0 or 1--and the card responds in kind. The terminal can record how much time elapsed between sending and receiving the response, which would be a few nanoseconds in a normal transaction. Because the attacker can't relay information faster than the speed of light, an upper time limit could establish how far the terminal is from the card.

Tom Espiner of ZDNet UK reported from London.