Chip And Pin Flaw Uncovered By Cambridge Boffins

Chip and pin payment systems used by many banks contain a serious vulnerability, according to Cambridge University researchers

Researchers at Cambridge University have uncovered yet another security vulnerability with the chip and pin payment system commonly used in the UK.

Bank cards are reportedly vulnerable to a form of cloning and researchers have pinpointed the poor implementation of cryptography methods in ATM machines as being the reason for the flaw. The researchers even accused some banks of “systematically” suppressing information about the vulnerabilities, the BBC reported.

Random numbers

The latest flaw in the chip and pin system was highlighted by the Cambridge research team who presented a paper at a cryptography conference in Leuven, Belgium earlier this week.

They discovered a flaw with the so called unpredictable number (UN), generated by software within cash point machines and other similar equipment. The researchers warned that this random number is not so random, and is even possible sometimes to predict.

“Payment cards contain a chip so they can execute an authentication protocol,” said the paper. “This protocol requires point-of-sale (POS) terminals or ATMs to generate a nonce, called the unpredictable number, for each transaction to ensure it is fresh.”

“We have discovered that some EMV (i.e. chip and pin) implementers have merely used counters, timestamps or home-grown algorithms to supply this number,” claimed the researchers. “This exposes them to a ‘pre-play’ attack which is indistinguishable from card cloning from the standpoint of the logs available to the card-issuing bank, and can be carried out even if it is impossible to clone a card physically (in the sense of extracting the key material and loading it into another card).”

“We found flaws in widely-used ATMs from the largest manufacturers.”

ATM fault

Researcher Mike Bond, one of the authors of the paper, discussed the flaw on a blog posting.

He revealed he began looking at the problem after a customer of HSBC, Alex Gambin, had his wallet pickpocketed in Palma, Mallorca, and within an hour of the theft five ATM withdrawals had been made using his card totalling €1,350 (£1,079), yet he never wrote down his PIN.

Gambin was suspicious and contacted the researchers for help, who linked his case to other cases in Spain and Germany.

“We examined Alex’s log data in detail and found the vulnerabilities in the ATM,” wrote Bond on his blog. He said the problem was to do with half of the ATMs they had studied not generating random numbers.

“If you can predict it (the unpredictable number), you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location,” wrote Bond. “You can as good as clone the chip.”

And Bond warned that the banks are aware of the issue. “Just like most vulnerabilities we find these days, some in the industry already knew about it but covered it up; we have indications the crooks know about this too, and we believe it explains a good portion of the unsolved phantom withdrawal cases reported to us for which we had until recently no explanation,” he wrote.

“It appears that some parties were already aware of the random number deficiencies we describe in today’s paper but failed to take action. This raises serious issues for regulators.”

Known flaws

Chip and pin is currently the leading processing and authentication method for credit and debit card payments in the UK, and indeed the world. It is estimated that there are more than a billion chip and pin cards in use worldwide. It replaced the signature and magnetic strip option, and was supposed to be a much more secure payment method.

Yet whilst the banks are happy to say that the chip and pin system is secure and flawless, there have long been doubts about its security.

Back in February 2010, researchers at Cambridge University said the chip and pin system was broken after they uncovered a flaw that allowed fraudsters to use stolen credit and debit cards without knowing the PIN number.

That flaw could be exploited by a man-in-the-middle attack, in which the signal sent out by a shop’s card reader during a transaction was intercepted by a separate card reader in the fraudster’s bag. The second reader sends a PIN verification signal back to the shop terminal, authenticating the transaction even though no code has been entered.

And in December 2010 a Cambridge University professor accused UK banks of trying to prevent the publication of research that revealed a serious flaw in the chip and pin, Europay, and the MasterCard and VISA (EMV) payment card security systems.

Professor Ross Anderson revealed that a student had created a £20 device that could fool a payment machine into accepting a card without a valid PIN. The UK Card Association (UKCA) apparently wrote to the university’s press office demanding the removal of the research document from its website.

Are you a security expert? Try our quiz!