back to article Chip and SKIM: How dodgy crypto can leave shoppers open to fraud

UK academics today describe how criminals can forge chip-and-PIN card transactions and spend other people's money for free. The team of University of Cambridge experts say their technique exploits a cryptographic weakness in some devices implementing the EMV (aka chip'n'PIN) standard. And they're confident they've found a …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    "As per the EMV standard, cash machines (ATMs) generate for each transaction a nonce "

    The BBC has been running that standard for years in their payroll system, It's also known as the Yew Tree algorithm.

  2. Irongut

    Got to be careful when you're generating a nonce! (see definition #3)

    Who decided to use that word as the name for a transaction id?

    1. Nigel 11

      @Irongut

      Isn't definition 4 appropriate?

      BTW It struck me that definition 4 also leads to definition 3, if used in the context of a lynch mob.

    2. Destroy All Monsters Silver badge
      Paris Hilton

      Who decided to use that word as the name for a transaction id?

      Well-Known-Tabloid readers equipped with credit cards?

      1. squigbobble

        Can't wait...

        ...to see how netmums reacts to the discovery that chip&PIN terminals create nonces.

  3. Herby

    And you thought...

    Chip & PIN was better! Looks like it is only better for the banks which don't want you to dispute the transaction.

    Sure the mag stripe and real-time feedback of authorization is not the "best", but when an industry says "fraud proof" we should ALL take a second look. Nothing is "fraud proof', but some things are better than others.

    I'm not sure that C&P is any better (or worse) than Mag Stripes and real-time authorization. Oh, well....

    1. Anonymous Coward
      Anonymous Coward

      Re: And you thought...

      Chip&PIN is better than card&sign, doesn't mean it's perfect though.

      What banks should do as of *NOW* is roll-out updates to fix their systems.

      Then again, XP EoL took the by surprise; so don't expect anything to happen.

    2. Anonymous Coward
      Anonymous Coward

      Re: And you thought...

      Erm yes it is more secure.

      This hack is just a (huge) Tad more difficult than copying a mag stripe and a bit of a scribble.

  4. Anonymous Coward
    Anonymous Coward

    Wot

    And they haven't been arrested yet?

    Surely pointing out a weakness in a banks security system must be illegal and probably carry life in jail, or several lives even.

    1. Chozo

      Re: Wot

      Pointing out flaws is fine... but

      demonstrating them at a Defcon / Blackhat conference could hazerdous to health if one belevies conspiracy theorists and the curious case of Barnaby Jack.

  5. Anonymous Coward
    Anonymous Coward

    UK implementation of C&P ..

    I noticed in Spain, they still ask for the signature, at a C&P transaction. As a shopkeeper explained ... "No sign, no pay".

    1. Robin

      Re: UK implementation of C&P ..

      > As a shopkeeper explained ... "No sign, no pay".

      Did you not continue the discussion with your fluent Spanish and find out more?

    2. Anonymous Coward 101

      Re: UK implementation of C&P ..

      Aye, someone has successfully cracked C&P, only to be foiled by an inaccurate squiggle.

  6. Robin 12

    Forward to your bank and government officials.

    As this is a major issue that many have said the banks love, it is time to forward this information to the banks and government to ensure that legislation and policies now reflect the fact that it is possible to clone chip and pin cards.

    Wasn't the introduction to chip and pin debit cards first a great out for the banks to not investigate possible fraud and government pressure forced the banks to change their policy? It was reported on this site years ago.

    Now that C&P is shown to be fully weakened, then the onus should be returned to the bank to investigate the claim.

    1. Anonymous Coward
      Anonymous Coward

      Re: Forward to your bank and government officials.

      What goes around comes around. I worked in IT supporting banking systems in the late 70s, early 80s when ATMs were first introduced and the banks then took exactly the same stance when people had begun to complain of duplicate and rogue transactions they had not made. i.e. "Our systems are infallible, the customer must be dishonest and it is up to them to find out which member of their family has stolen the money by borrowing the card and using the PIN."

      I lost all respect for the banks when I had come home having spent the whole day monitoring comms between an ATM and the MF front end while we were trying to reproduce a duplicate transaction that we had actually seen happen before our very eyes. They knew all about it, and there was a spokesman on the news trotting out the "it is just not possible for our systems to duplicate tranactions, it must be one of the customer's family" routine. Sickening.

      Some things don't change do they?

  7. phil dude
    Linux

    internet bank...

    Does this affect the internet banking use of chip and pin?

    I have always wonder how random the code was....

    P.

    1. Tom Chiverton 1

      Re: internet bank...

      Barclays dongle has already been cracked - you can pre-generate a roll of numbers to take away with you.

    2. Steven Murdoch

      Re: internet bank...

      Basically, no. This vulnerability doesn't affect Internet banking because when Chip and PIN cards are used for Internet banking, random numbers (if they are used at all) are generated by the bank. The flaw is a result of the terminal generating the random number but the bank relying on it being random.

      There are other issues with using Chip and PIN for online banking though: http://www.cl.cam.ac.uk/~sjm217/papers/fc09optimised.pdf

  8. Anonymous Coward
    Anonymous Coward

    Slightly off topic but

    where I work we have two customers that we regularly do "Cardholder Not Present" transactions for, one is Visa and the terminal asks for Card No.,Transaction Amount,CVV,Address No. & Postcode No. - the transaction will authorise without the last two items being correct but will indicate as only verified for the security code.

    The other card is AmEx and only asks for Card No. & Amount before authorising.

    I know that the merchant is liable for CNP transactions, but AmEx doesn't even ask for the most basic of details to help prevent fraud, at least Visa make a token effort.

  9. Pumpkinpositive

    Absolute rubbish

    Even if the unpredictable number can be predicted, and the hacker/cloner successfully uses a future ATC (application transaction counter - another of the mandatory EMV fields), a hacker/cloner would need to know the clear base derivation key from the bank (which is never exposed in clear text), have an understanding of how to generate the transaction key for the appropriate card scheme being used and then be able to generate the correct ARQC for the fraudulent transaction for the it to be authorised by the bank - This paper is scaremongering...

    1. Anonymous Coward
      Anonymous Coward

      Re: Absolute rubbish

      "Let’s go back to the start. Alex Gambin had his wallet pickpocketed in Palma, Mallorca, and within an hour of the theft five ATM withdrawals had been made using his card totalling €1350, yet he never wrote down his PIN."

      http://www.lightbluetouchpaper.org/2012/09/10/chip-and-skim-cloning-emv-cards-with-the-pre-play-attack/

    2. Destroy All Monsters Silver badge
      Trollface

      Re: Absolute rubbish

      This paper is scaremongering...

      Ah, the sickly sweet smell of VISA's PR department is wafting in.

      1. Fatman

        Re: Absolute rubbish...This paper is scaremongering...

        Ah, the sickly sweet uniquely distinct smell of VISA's PR department is wafting in.

        FTFY!!!

        Now, where have I noticed that 'smell' before??? Oh, it was out on a dairy farm.

    3. Steven Murdoch

      Re: Absolute rubbish

      There's no need to know the transaction key, because the ARQC is being generated by the genuine card. The attack scenario is that the victim uses a compromised Chip and PIN terminal, which requests an ARQC which is then used in a different terminal. For example, you might think you're paying a few pounds for a sandwich, but the ARQC is for a £500 ATM withdrawal.

    4. Velv
      Boffin

      Re: Absolute rubbish

      "This paper is scaremongering..."

      Like many academic papers this one is dealing in a large amount of theory based on observed facts. So while it may not be a widespread attack vector, it highlights that EMV has weaknesses and is therefore not 100% free from fraud.

      OpenSSL was secure and verified by its open nature - until it turned out it wasn't. EMV is closed source, so who knows what vulnerabilities actually lie in the code.

  10. DainB Bronze badge

    If I can have malware installed on ATM or terminal why would I fiddle with all this stuff ? Just to make it harder for card owner to do chargeback ?

    1. Aitor 1

      You have to fiddle

      Otherwise, you won't be able to charge money.

      And the terminal you have compromised is able to charge money for your collateral victim (tesco, etc), not for you.

  11. David Roberts

    Physical security?

    What I think I am reading is that the problem is a partial implementation of the standards coupled with weak physical security.

    Upgrading and or changing the standard isn't going to solve this.

    Security standards have to be coupled with robust implementations and strong physical security to work.

    Of course, this takes time and effort and money.

    1. Tom 13

      Re: Physical security?

      No, there software implementation is weak even if they have good physical security on the system. So it is still vulnerable.

      Which doesn't mean they HAVE good physical security, only that the software problem exists independently. And if you have weak physical security, software security is more easily compromised.

  12. ex RBS employee

    Ok,

    So if you break the card, and the ATM,m and the network, and they happen to be running non-random generators... you might get some money out of an account. Assuming it has some in the first place. If you can break all the above and implement your own code on ATM's etc then this is a pretty piss poor approach to getting your hands on some money. Just change the ATM code to puke all its money out to you there and then !

    Two things.

    1) When has the well educated Mr Ross Anderson ever produced a detailed design for an infallible payment system? (and why has he not copyrighted such and made a killing?),and

    2) Where is the risk analysis and cost benefit. i.e. the cost to 'fix; the problems that seem to be endemic in the payments world versus the losses that also appear to be sustainable to the banks ?

    Really folks. NOTHING in life is perfect. EVERYTHING costs something.And Mr Anderson should produce a good alternative rather than keep looking for ever more minute gaps that obviously do not amount to any risk (cost value) greater than the exposure (cost value).

    1. Tom 13

      Re: the losses that also appear to be sustainable to the banks

      The losses appear to be sustainable to the banks only because the banks have claimed the system is infallible and therefore it must the customer's fault.

    2. The Mole

      I don't know why the Register article reported this in the context of just ATMs but reading the original post this appears to be a vulnerability of any Chip and Pin authenticated transaction.

      Acquiring access to a remote chip and pin terminal in a restaurant, modifying it and intercepting the communication back to base is not likely to be beyond the means of many criminal gangs and frausters.

      As for Mr Ross Anderson reading his blogs I believe his big problems is the fact that banks will routinely lie to customers and claim that chip and pin is infallible (and therefore it is up to the customer to prove that its not their fault) even though there is concrete proof that there are ways to defeat it and therefore the onus should be on the bank to prove that the customer is lying.

      if the banks admitted that it isn't perfectly secure and took on the costs of refunding customers when the security is breached then that would be acceptable. At the moment they claim it is secure when they know it isn't, then pass on the costs to the customer who has been defrauded. Because the costs are being externalized to the customer the bank then don't have any benefit to improving the system - until research like this allows their statements to be challenged in court as effectively being fraudulent.

  13. Michael Wojcik Silver badge

    Weak CPRNG

    Gosh, who would have thought that using a weak PRNG to generate a nonce might be a problem? It's not like that's ever happened before.

    Just another case of people who don't know what they're doing and can't be bothered to learn.

    Or they're willfully ignorant, like Mr "ex RBS employee" up there. Tell you what, Mr employee: when you can explain to us, in a cogent and informed fashion, why Anderson's classic text Security Engineering, particularly chapters 7 and 25, do not answer your challenges regarding security economics and risk assessment, then I'll consider your opinion worth something.

    1. ex RBS employee

      Re: Weak CPRNG

      Read those chapters thanks. Learned how to suck eggs a tiny bit better.

      Really. Come on.

      My point still stands - where is the perfect solution that (obviously) only someone as experienced in the commercial world as Mr Anderson can actually deliver ?

      Just asking ...

      It is always easier to find faults than to give recommendations. I recommend that a proper risk analysis (with stress testing scenarios and full Regulatory, Financial, Customer, Reputational impacts) be included in these theory papers from the Cambridge team.

      Don't misunderstand me here. I am keen to see faults and holes identified in any product or service that affects me. I just wish Mr Anderson worked on his approach to delivering the messages such that we could all benefit from his research... rather than just scaremongering and self-image.

  14. Stevie

    Bah!

    So, not the Universal Fix for the Target hack as so many smugly opined here just after Christmas then?

  15. G_R

    Yeah - but it's lot of trouble to compromise one card. A lot easier to look over someones shoulder for the PIN and then nick the card......

This topic is closed for new posts.

Other stories you might like