Security flaw in Chip and PIN exposed
Cambridge researchers find one-off codes used to authenticate Chip and PIN transactions can be predicted
Researchers at the University of Cambridge have discovered that Chip and PIN cards can be effectively ‘skimmed’ by predicting the one-off code sent from the terminal to card operator in order to authenticate transactions.
Every time a Chip and PIN card is used to make a payment or withdraw cash from an ATM via the EMV standard, an Unpredictable Number is generated to authenticate the transaction.
However, by looking at a series of UNs relating to particular case of ATM fraud, Mike Bond, visiting professor at the University of Cambridge, saw a pattern that would allow future UNs to be predicted.
Bond and his colleagues tested the hypothesis on a number of ATMs, and found that certain models had defective random number generators.
“If you can predict [a UN], you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location,” Bond wrote yesterday. “You can as good as clone the chip.”
Bond says that criminals could exploit this flaw either by using a compromised Chip and PIN device, or by using a smartcard to install malware on the device – as demonstrated recently by security consultancy MWR Infosecurity.
He believes that the exploit has already been used by criminals to steal from card holders. “We received 100s of reports from victims of fraud who have not been compensate by the banks, and this exploit explains some of those frauds.”
Bond and his colleagues informed the banks of the exploit in February, but while all of them acknowledge receipt of the information, they have all decline to comment, he says.
In a paper on the vulnerability, the researchers call on regulators to be more skeptical of the card processing company’s security claims. "Just as the world’s bank regulators were gullible in the years up to 2008 in accepting the banking industry’s assurances about its credit risk management, so also have regulators been credulous in accepting industry assurances about operational risk management,” it reads.
Eariler this year, MWR Infosecurity showed that a pre-prepared smart card could be used to install malware on a Chip and PIN terminal, which could in turn harvest the card numbers and PINs for any card used in that terminal.
"We have shown that this can be done and there is no doubt in our minds that criminals are constantly testing these systems," said MWR CEO Ian Shaw at the time. "It is surprising that the manufacturers of these machines have done little to safeguard retailers and Chip and PIN card users.”