Life has become more dangerous for ATM card holders in the UK.
As muggers require the Personal Identification Number (PIN) of a stolen card to make withdrawals, they are tempted to resort to violence against the card owners to get hold of it.
The case of two French exchange students in London who are believed to have been tortured to death for not revealing their ATM card PINs shows that this threat is real.
Major British banks are unintentionally helping these muggers, as they distribute card readers among their clients that serve as generators of one-time codes used for transaction authentication. Although distributed with the best intentions by the banks, these readers can also be used by criminals to instantly verify whether an extorted PIN is correct. Now it is a lot easier for them to keep their victims captive in a secret place, to press them to reveal the PIN and to verify its accuracy instantly.
Three Cambridge researchers revealed [pdf] that these card readers suffer from more than only this weakness.
Designed after the Chip Authentication Programme (CAP) standard, these card readers for 'Chip & PIN' smart cards expose further weaknesses like the reuse of authentication tokens and the ability to store one-time codes for an unnecessarily long period of time, which helps phishers to misuse the stolen codes.
The secret CAP specification is basically a strong simplification of the public EMV (Europay, MasterCard, Visa) standard, which is established and known to be secure.
CAP, however, allows for a wide range of interpretation, which the designers of the UK variant exploited, sadly, for the worse. In their intention to create a cheaper and more versatile device they ignored some seemingly unimportant details of the initial protocol, resulting in remarkably lower security.
Please don't get me wrong. I generally appreciate any attempt to increase security in homebanking by adding more intelligent devices to the authentication process. The failure of the UK variant of CAP is that its designers used a public, known to be secure standard and optimised it until it lost major security elements. Had they published their protocol variant in the first place, the crypto community may have been able to correct the flaws before they eventually went into the product.
Exchange students in Berlin might rest easier. The German CAP variant, ZKA-TAN-Generator [pdf], lets the banks decide whether the device should verify the PIN instantly or go ahead with the false PIN. In addition, this device addresses some other flaws, too, such as the time-invariance of the one-time code.
The flaws in the British CAP devices show one more time how dangerous it is to abandon established security standards in favour of proprietary, seemingly optimised ones. Time will tell whether these devices will eventually undergo the same mutations as the initial Wireless LAN adapters with their flawed 'Wireless Equivalent Privacy' security standard.
WEP -> WEPplus -> TKIP -> WPA1 -> WPA2 - pooh, that's still a long way to go.