Chip and PIN payment card system vulnerable to "pre-play" attacks
Posted on 12 September 2012.
The chip and PIN system employed by most European and Asian banks is definitely more secure than the magnetic strip one, but it doesn't mean that it doesn't have its flaws. It can routinely be misused via ATM or POS skimmers and cameras recording PIN numbers as they are entered by card owners, but there are other ways as well.

A team of Cambridge University researchers has recently discovered that a flaw in the way that the algorithms for generating unique numbers for each ATM or POS transaction are implemented makes it possible for attackers to authorize illegal transactions without ever having to clone the customers' card.

"The UN (unique number) appears to consist of a 17 bit fixed value and the low 15 bits are simply a counter that is incremented every few milliseconds, cycling every three minutes," they discovered.

"We wondered whether, if the 'unpredictable number' generated by an ATM is in fact predictable, this might create the opportunity for an attack in which a criminal with temporary access to a card (say, in a Mafia-owned shop) can compute the authorization codes needed to draw cash from that ATM at some time in the future for which the value of the UN can be predicted."

Their research led them to conclude that the number in question is predictable, and that such a "pre-play" attack - while not that easy to execute and possessing certain limitations - is possible and viable in practice through a number of approaches, which include malware-infected ATMs, supply chain attacks, terminal cut-out, UN modification in the network, and the cooperation of a merchant.

Selected banks, payment switches and major card companies have been informed of the vulnerability, but most refused to formally comment on the findings.

"We received some informal responses: the extent and size of the problem was a surprise to some, whereas others reported already being suspicious of the strength of unpredictable numbers or even said others had been explicitly aware of the problem for a number of years. If these assertions are true, it is further evidence that banks systematically suppress information about known vulnerabilities, with the result that fraud victims continue to be denied refunds," the researchers pointed out in the paper detailing the flaw and the attacks.

"We found flaws in widely-used ATMs from the largest manufacturers. We can now explain at least some of the increasing number of frauds in which victims are refused refunds by banks which claim that EMV cards cannot be cloned and that a customer involved in a dispute must therefore be mistaken or complicit."


Almost 1 in 10 Android apps are now malware

Posted on 28 July 2014.  |  Cheetah Mobile Threat Research Labs analyzed trends in mobile viruses for Q1 and Q2 of 2014. Pulling 24.4 million sample files they found that 2.2 million files had viruses. This is a 153% increase from the number of infected files in 2013.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.


Mon, Jul 28th