European Payment Cards Security Problem
A recently published technical paper entitled "Chip and pin is broken" by security researchers Steven Murdoch, Saar Drimer, Mike Bond and Ross Anderson reveals how criminals can use stolen payment cards without the pin using man in the middle attacks.
It does not matter if the card is stolen outright or copied, the method works either way. The publication highlights a serious security problem as banks claimed until now that the security of payment cards is protected from such acts.
The attack is very simple at its core. It takes advantage of the fact that the authentication negotiation determining which authentication method is being used is not encrypted. All it does is switch the authentication method to "chip and signature transactions" making the terminal use chip and pin authentication. The effect is that the attacker can enter any four digit ping to authorize the payment.
What should happen normally is that the pin that is entered by the customer is checked by the terminal. The transaction is only authorized if the pin check is correct. If that is not the case, the transaction is not authorized and a new request is being sent to enter the pin.
Here are the highlights of the attack:
- the attack applies to cards used online (where the merchant POS contacts the bank) as well as offline.
- the attack works regardless of the amount of money spent (not just for small value amounts that are below floor limit).
- the attack doesn’t work once a card has been cancelled by the bank — just like stolen cards in the past, can only be used for a certain window of time until the owner of the card notices that the card is not there anymore or notices unauthorized transactions.
- the attack doesn’t work at ATMs (cash machines).
- the failure applies to bank card schemes based on EMV – the most widely deployed standard for smartcard payments. Older national smartcard schemes may or may not be vulnerable.
The following video is a report by the BBC about the issue that shows some of the research including how attacks are carried out.
According to the researchers, the expertise needed to build the system is not overly high and the equipment needed for it can be purchased easily. It appears also easy to hide it so that merchants cannot detect it.
Additional information are available in the published research paper.
Chip&PIN wasn’t introduced to increase security. It was introduced to pass the security buck to the customer. You only have to listen to the excuses above to realise the banks’ priorities. They are happy to accept the losses of fraud as an operating expense tto be passed eventually to the customer.
There have been other flaws in the system for some time – it’s only a year since my card was compromised ina dodgy supermarket reader. But try telling the banks…