September 13, 2012 report
Cambridge team exposes EMV card vulnerabilities
Their paper, "Chip and Skim: Cloning EMV Cards with the Pre-play Attack" presents the troubling details of weaknesses in protocol and random number generation which leave customers in the cold as fraud victims. "EMV" is the name given to the system from its original developers Europay, MasterCard and Visa. The system is also known as chip and pin, and is the leading system for card payments, in Europe, much of Asia, and starting to be used in North America.
Payment cards contain a chip so they can execute an authentication protocol. POS terminals or ATMs generate the unpredictable number, for each transaction to ensure it is fresh.
Some EMV implementers have merely used counters, timestamps or home-grown algorithms to supply this number. This exposes them to a pre-play attack, say the Cambridge team. The researchers find it shocking that many ATMs and point-of-sale terminals have "seriously defective" random number generators, often "just counters."
The study authors also point to a key shortcoming at the protocol level where "the party depending upon freshness in the protocol is not the party responsible for generating it." Although the issuing bank is depending on the merchant for transaction freshness, they said, the merchant "may not be incentivised to provide it, may not be able to deliver it correctly due to lack of end-to-end authentication with the issuer, and might even be collusive (directly or indirectly)."
The study team's harshest words are for those banks that "suppress information about known vulnerabilities, with the result that fraud victims continue to be denied refunds." The researchers argue the lack of fairness when any customer who complains of fraud may be told by the bank that since EMVs are secure, the victim is mistaken "or lying when they dispute card transactions." And yet, said the study, "again and again, the banks have turned out to be wrong."
One vulnerability after another has been discovered and exploited by criminals. They said it has mostly been left to independent security researchers to identify what is happening and to spread the word.
The researchers said that, in looking for solutions, it would not be practical to turn to what is a slow and complex negotiation process between merchants, banks and vendors. "It is time for bank regulators to take an interest," they said. "It's welcome that the US Federal Reserve is now paying attention, and time for European regulators to follow suit."
www.lightbluetouchpaper.org/20 … the-pre-play-attack/
© 2012 Phys.org