A picked pocket in Mallorca reveals chink in chip-and-PIN security

A picked pocket in Mallorca reveals widespread hole in chip-and-PIN security

Researchers at Cambridge University are warning that a vulnerability common to ATMs and point-of-sales terminals could enable attackers to easily clone secure EMV chip-and-PIN cards.

The security hole, they believe, may already be known to criminals and could account for unsolved “phantom” withdrawal cases.

Writing on the blog Light Blue Touchpaper, Mike Bond, a research associate at the University of Cambridge Computer Lab, said that unique ID numbers used to authenticate EMV cards to ATMs are, in many cases, predictable. This is due, he explained, to poor implementation of EMV protocol by banks as well as ATM and POS manufacturers.

Attackers who can predict the EMV authentication code can use momentary access to the chip card to record the data they need to clone the card, playing it back at a later time. “You can as good as clone the chip,” Bond wrote.

Bond said he discovered the vulnerability by accident last November on a Eurostar train ride from Paris to London.

Studying a list of disputed ATM withdrawals provided by victim Alex Gambin, who had his wallet stolen in Mallorca and, in the space of an hour, saw it used in five ATM withdrawals, totaling 1,350 Euros. The speed of the withdrawals defied belief, and Gambin appealed to Bond and his colleagues for help.

Reading through the ATM transaction data on his mobile phone, Bond said he struggled to see the “big picture” in the strings of numbers. To make it easier to navigate on the diminutive smart phone screen, he decided to use the EMV Unpredictable Number (UN) for each transaction to distinguish one page of transactions from the next. But he soon found himself lost in the transaction data again.

The unique 32-bit EMV numbers, it turns out, weren’t that unique. Instead, each shared 17 bits in common and the remaining 15 appeared to be a counter, rather than a random number.

Bond and his colleagues dug deeper into the data, reviewing logs from previous phantom ATM transaction disputes as well as collecting fresh data from more than 1,000 transactions at 20 different ATMs and POS terminals.

They discovered something both shocking and dismaying: the random number generators used by many ATMs and POSs that take chip-and-PIN cards are faulty, generating ‘random’ numbers in predictable ways.

Though the research is ongoing, the Cambridge scientists say that, so far, they have “established non-uniformity of unpredictable numbers in half of the ATMs we have looked at,” Bond wrote.

Speaking with Naked Security, Cambridge researcher Ross Anderson said the weakness stems from shortcuts that both banks and hardware vendors took when implementing the EMV protocol.

Rather than requiring the bank to issue a unique, random verification code for each transaction, then send that to the transaction terminal for use generating a unique transaction ID based on that code and other, transaction specific data, the industry allowed merchants and banks to skip a step by letting the transaction terminals generate their own unique transaction ID.

Back in the days of 56k modems when chip-and-PIN was first implemented, that shortcut saved time in verifying transactions. But it also made it possible for anyone who can snoop on transactions or who can tamper with an ATM or POS terminal to pass off fraudulent transactions as legitimate, Anderson said.

Bond and his colleagues will be presenting a paper based on their research at the Cryptographic Hardware and Embedded System (CHES) 2012 conference in Leuven, Belgium this week.

The researchers believe this EMV issue could already be enabling widespread card cloning, or what the researchers call a “pre-play” attack, with reports of incidents in Spain, Poland, Latvia, Belgium and Germany, as well as Malta.

This issue poses a number of serious security problems for banks and their customers, with two likely attack scenarios. In the first, cyber criminals and malicious hackers could target merchants: inserting themselves at any point in the transaction chain and conducting a man in the middle attack: intercepting the real unique number generated by the ATM and replacing it with their own. “Such an attack is powerful as the terminal can be rigged to show transaction approval regardless of what the bank says,” they wrote.

In the second scenario – this one more likely – consumers would be the victims, with attackers using malware to inject legitimate, stolen credentials on behalf of a cloned card. In the case of the bogus ATM transactions in Mallorca and other, similar incidents, Anderson said that he and others believe the ATM in question may well have been infected with malicious software that worked in tandem with the cloned card to carry out the bogus cash requests.

And, they contend, it’s likely that banks, ATM vendors and card companies have been aware of the problem. “Just like most vulnerabilities we find these days some in industry already knew about it but covered it up,” Bond wrote. “We have indications the crooks know about this too, and we believe it explains a good portion of the unsolved phantom withdrawal cases reported to us for which we had until recently no explanation.”

The fixes for the problem aren’t simple, Anderson said. First and foremost, regulators in the UK and EU need to put reforms in place to protect consumers and make them whole when fraud is suspected. That would be similar to systems in some European countries like the Netherlands and Finland, as well as the U.S. It would also give banks and financial institutions an incentive to invest in better transaction security.

ATM and PIN machines images courtesy of ShutterStock.