Chip and PIN payment card system vulnerable to "pre-play" attacks
Posted on 12 September 2012.
The chip and PIN system employed by most European and Asian banks is definitely more secure than the magnetic strip one, but it doesn't mean that it doesn't have its flaws. It can routinely be misused via ATM or POS skimmers and cameras recording PIN numbers as they are entered by card owners, but there are other ways as well.

A team of Cambridge University researchers has recently discovered that a flaw in the way that the algorithms for generating unique numbers for each ATM or POS transaction are implemented makes it possible for attackers to authorize illegal transactions without ever having to clone the customers' card.

"The UN (unique number) appears to consist of a 17 bit fixed value and the low 15 bits are simply a counter that is incremented every few milliseconds, cycling every three minutes," they discovered.

"We wondered whether, if the 'unpredictable number' generated by an ATM is in fact predictable, this might create the opportunity for an attack in which a criminal with temporary access to a card (say, in a Mafia-owned shop) can compute the authorization codes needed to draw cash from that ATM at some time in the future for which the value of the UN can be predicted."

Their research led them to conclude that the number in question is predictable, and that such a "pre-play" attack - while not that easy to execute and possessing certain limitations - is possible and viable in practice through a number of approaches, which include malware-infected ATMs, supply chain attacks, terminal cut-out, UN modification in the network, and the cooperation of a merchant.

Selected banks, payment switches and major card companies have been informed of the vulnerability, but most refused to formally comment on the findings.

"We received some informal responses: the extent and size of the problem was a surprise to some, whereas others reported already being suspicious of the strength of unpredictable numbers or even said others had been explicitly aware of the problem for a number of years. If these assertions are true, it is further evidence that banks systematically suppress information about known vulnerabilities, with the result that fraud victims continue to be denied refunds," the researchers pointed out in the paper detailing the flaw and the attacks.

"We found flaws in widely-used ATMs from the largest manufacturers. We can now explain at least some of the increasing number of frauds in which victims are refused refunds by banks which claim that EMV cards cannot be cloned and that a customer involved in a dispute must therefore be mistaken or complicit."






Spotlight

How to keep your contactless payments secure

Posted on 19 September 2014.  |  Fraudsters can pickpocket a victimís financial data using low-cost electronics that can fit into a rucksack. Here are the top security threats you should be aware of if youíre using a RF-based card, along with our top safety tips to keep your payments secure.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Sep 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //