Chip and SKIM: How dodgy crypto can leave shoppers open to fraud

Cambridge uni gurus to present debit, credit PIN card findings today in San Jose

Choosing a cloud hosting partner with confidence

UK academics today describe how criminals can forge chip-and-PIN card transactions and spend other people's money for free.

The team of University of Cambridge experts say their technique exploits a cryptographic weakness in some devices implementing the EMV (aka chip'n'PIN) standard. And they're confident they've found a separate flaw in the EMV design, too.

Fraudsters leveraging the revealed vulnerabilities can use a victim's card without knowing the PIN to make purchases that look entirely genuine – which will make life difficult for the victim when he or she tries to persuade the bank to reverse the fraudulent transactions.

"Because the transactions look legitimate, banks may refuse to refund victims of fraud," warned team member Steven J. Murdoch.

The research, titled Chip and Skim: cloning EMV cards with the pre-play attack [PDF], was drawn up by Murdoch, Mike Bond, Omar Choudary, Sergei Skorobogatov and Professor Ross Anderson, all from the University of Cambridge's Computer Laboratory.

Their work is due to be presented at the 2014 IEEE Symposium on Security and Privacy in San Jose, California, today.

As per the EMV standard, cash machines (ATMs) generate for each transaction a nonce – a supposedly unpredictable 32-bit number. This is supposed to add freshness to ensure transactions can't be replayed by fraudsters.

But it turns out some EMV terminals use counters, timestamps or crap homegrown algorithms to generate the nonces. These values are not particularly random, so this exposes victims to a “pre-play” attack that is indistinguishable in the bank's records from using a perfect physical copy of the card.

In practice, authentication data and the nonce exchanged between the card and a compromised ATM are harvested by crooks, and then successfully replayed to another cash machine: if that other machine's nonce is predictable, then, voila, you can dig into someone else's card account.

The second issue stems from a protocol design flaw: an attacker runs malware on a cash machine to intercept an authentication code sent from the victim's card to the ATM for a given ATM-generated nonce value; the attacker, in a separate transaction, replays that auth code to a second terminal regardless of the second terminal's generated nonce; finally, the attacker intercepts the second terminal's communication with the bank and alters the nonce to the original one, so the second transaction suddenly looks legit when it arrives at the bank.

The Camby team explained in a summary ahead of their presentation:

When a Chip and PIN transaction is performed, the terminal requests that the card produces an authentication code for the transaction. Part of this transaction is a number that is supposed to be random, so as to stop an authentication code being generated in advance. However, there are two ways in which the protection can by bypassed: the first requires that the Chip and PIN terminal has a poorly designed random generation (which we have observed in the wild); the second requires that the Chip and PIN terminal or its communications back to the bank can be tampered with (which again, we have observed in the wild).

To carry out the attack, the criminal arranges that the targeted terminal will generate a particular “random” number in the future (either by predicting which number will be generated by a poorly designed random number generator, by tampering with the random number generator, or by tampering with the random number sent to the bank). Then the criminal gains temporary access to the card (for example by tampering with a Chip and PIN terminal) and requests authentication codes corresponding to the “random” number(s) that will later occur. Finally, the attacker loads the authentication codes on to the clone card, and uses this card in the targeted terminal. Because the authentication codes that the clone card provides match those which the real card would have provided, the bank cannot distinguish between the clone card and the real one.

In the aftermath of the US retail chain Target's massive breach of shopping till security, banks in the US – which have lagged behind in chip and PIN deployment – have accelerated their efforts to roll out chip-and-PIN-capable cards to their customers.

The research by the Cambridge team, which has in past years produced pioneering research in the security of payment cards, shows the system "still has serious vulnerabilities, which might leave customers at risk of fraud".

Previous studies have shown that cards can be used without knowing the correct PIN, and that card details can be intercepted as a result of flawed tamper-protection.

The team's latest research goes on to suggests how bank procedures could be improved to detect whether this attack has occurred as well as proposing more improvements to the EMV system.

Work has started on mitigating one of the vulnerabilities identified by Murdoch and his colleagues; they notified the banks about a year ago. The certification requirements for random-number generators in EMV terminals have been improved, although old kit may still be vulnerable.

In a statement, the UK Cards Association acknowledged there was an issue, while playing down its significance by stating that it hadn't been abused to actually commit fraud.

While Cambridge scientists have identified a theoretically potential, but technically complicated, type of card fraud, there is absolutely no evidence of this being undertaken in the real world.

However, the industry takes any potential security attack very seriously, even when the probability of it happening is extremely small. When this issue was first raised, the industry undertook immediate steps to confirm that the security of our cards and cash machines was robust. In the highly unlikely event that a customer is the innocent victim of this, or any other less sophisticated card fraud, there is strong legal protection in place to ensure that they do not suffer any financial loss.


Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.