A picked pocket in Mallorca reveals chink in chip-and-PIN security

Filed Under: Data loss, Featured, Malware, Vulnerability

Researchers at Cambridge University are warning that a vulnerability common to ATMs and point-of-sales terminals could enable attackers to easily clone secure EMV chip-and-PIN cards.

The security hole, they believe, may already be known to criminals and could account for unsolved "phantom" withdrawal cases.

Writing on the blog Light Blue Touchpaper, Mike Bond, a research associate at the University of Cambridge Computer Lab, said that unique ID numbers used to authenticate EMV cards to ATMs are, in many cases, predictable. This is due, he explained, to poor implementation of EMV protocol by banks as well as ATM and POS manufacturers.

Attackers who can predict the EMV authentication code can use momentary access to the chip card to record the data they need to clone the card, playing it back at a later time. "You can as good as clone the chip," Bond wrote.

Bond said he discovered the vulnerability by accident last November on a Eurostar train ride from Paris to London.

Studying a list of disputed ATM withdrawals provided by victim Alex Gambin, who had his wallet stolen in Mallorca and, in the space of an hour, saw it used in five ATM withdrawals, totaling 1,350 Euros. The speed of the withdrawals defied belief, and Gambin appealed to Bond and his colleagues for help.

Reading through the ATM transaction data on his mobile phone, Bond said he struggled to see the "big picture" in the strings of numbers. To make it easier to navigate on the diminutive smart phone screen, he decided to use the EMV Unpredictable Number (UN) for each transaction to distinguish one page of transactions from the next. But he soon found himself lost in the transaction data again.

The unique 32-bit EMV numbers, it turns out, weren't that unique. Instead, each shared 17 bits in common and the remaining 15 appeared to be a counter, rather than a random number.

Bond and his colleagues dug deeper into the data, reviewing logs from previous phantom ATM transaction disputes as well as collecting fresh data from more than 1,000 transactions at 20 different ATMs and POS terminals.

They discovered something both shocking and dismaying: the random number generators used by many ATMs and POSs that take chip-and-PIN cards are faulty, generating 'random' numbers in predictable ways.

Though the research is ongoing, the Cambridge scientists say that, so far, they have "established non-uniformity of unpredictable numbers in half of the ATMs we have looked at," Bond wrote.

Speaking with Naked Security, Cambridge researcher Ross Anderson said the weakness stems from shortcuts that both banks and hardware vendors took when implementing the EMV protocol.

Rather than requiring the bank to issue a unique, random verification code for each transaction, then send that to the transaction terminal for use generating a unique transaction ID based on that code and other, transaction specific data, the industry allowed merchants and banks to skip a step by letting the transaction terminals generate their own unique transaction ID.

Back in the days of 56k modems when chip-and-PIN was first implemented, that shortcut saved time in verifying transactions. But it also made it possible for anyone who can snoop on transactions or who can tamper with an ATM or POS terminal to pass off fraudulent transactions as legitimate, Anderson said.

Bond and his colleagues will be presenting a paper based on their research at the Cryptographic Hardware and Embedded System (CHES) 2012 conference in Leuven, Belgium this week.

The researchers believe this EMV issue could already be enabling widespread card cloning, or what the researchers call a "pre-play" attack, with reports of incidents in Spain, Poland, Latvia, Belgium and Germany, as well as Malta.

This issue poses a number of serious security problems for banks and their customers, with two likely attack scenarios. In the first, cyber criminals and malicious hackers could target merchants: inserting themselves at any point in the transaction chain and conducting a man in the middle attack: intercepting the real unique number generated by the ATM and replacing it with their own. "Such an attack is powerful as the terminal can be rigged to show transaction approval regardless of what the bank says," they wrote.

In the second scenario - this one more likely - consumers would be the victims, with attackers using malware to inject legitimate, stolen credentials on behalf of a cloned card. In the case of the bogus ATM transactions in Mallorca and other, similar incidents, Anderson said that he and others believe the ATM in question may well have been infected with malicious software that worked in tandem with the cloned card to carry out the bogus cash requests.

And, they contend, it's likely that banks, ATM vendors and card companies have been aware of the problem. "Just like most vulnerabilities we find these days some in industry already knew about it but covered it up," Bond wrote. "We have indications the crooks know about this too, and we believe it explains a good portion of the unsolved phantom withdrawal cases reported to us for which we had until recently no explanation."

The fixes for the problem aren't simple, Anderson said. First and foremost, regulators in the UK and EU need to put reforms in place to protect consumers and make them whole when fraud is suspected. That would be similar to systems in some European countries like the Netherlands and Finland, as well as the U.S. It would also give banks and financial institutions an incentive to invest in better transaction security.

ATM and PIN machines images courtesy of ShutterStock.

, , , , , , , , , , , , , , , , , ,

You might like

5 Responses to A picked pocket in Mallorca reveals chink in chip-and-PIN security

  1. Carla Sandilands · 772 days ago

    When i was in norway they use a system which is much more secure such as photograph on your credit debit cards so making it harder for criminals to use if stolen and when using online banking you also need a lil number generator which you insert your card in it and it generates a different number for paying online each time or it won't work. I think the banks here and rest of the world should adopt this

  2. Andrew Ludgate · 772 days ago

    The sad part about this is that the EMV specs outline the importance of unpredictable numbers, and the rest of the system design is heavily dependent on them being unpredictable -- based on how easy it is to generate a randomish number in embedded systems these days, there is no excuse for this to happen (other than that EMV certification appears to not be verifying the numbers are relatively unpredictable). These same readers that are generating predictable sequences have hardware designed to randomize the radiation signature during a transaction -- compared to that, generating a random UNID is a walk in the park!

  3. johnhawk · 772 days ago

    Surely the answer is easy - just force the banks and merchants to use a proper random number when verifying transactions. Or is it impossible make them do that?
    John

  4. Mark Longson · 772 days ago

    Barclays ATM's dont use chip and pin! well as far as I can tell

    when I insert my card it takes it in then spits it out and takes it in again as if scanning the magnetic strip!

    Maybe someone else could verify this?

    its been like this for over a year now, also I wanted to have the rf-id removed off my card but they refused!

    Maybe you guys could find out more?

  5. Robin Hilliard · 770 days ago

    Up to recently, EMV required that the UN's produced by ATM and POS devices met fairly basic randomness standards. Last month, these standards were updated and improved:
    http://www.emvco.com/approvals.aspx?id=108

    Also, while this flaw is real and EMVCo are taking it seriously, it's unlikely to be widespread as chip cards also include a transaction counter (the ATC) which is incremented for each transaction and which is part of the digital signature calculation. For reasons which are too lengthy to go into here, the ATC greatly reduces the real-world risk.

    This attack is certainly interesting and good on the team for figuring it out, but there are far, far easier ways of stealing money.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul is a Boston-based reporter and industry analyst with more than a decade of experience covering the IT industry, cyber security and hacking. His work has appeared on threatpost.com, The Boston Globe, salon.com, NPR's Marketplace, Fortune Small Business, as well as industry publications including ZDNet, Computerworld, InfoWorld, eWeek, CIO , CSO and ITWorld.com. Paul got his 15 minutes as an expert guest on The Oprah Show - but that's a long story.