Chip & PIN’s unpredictable numbers are predictable

Now, in a paper released on Anderson's home page, the research team he worked with shows a weakness in EMV’s authentication process that could explain some of the ‘phantom’ withdrawals that have occurred across Europe.

EMV stands for Europay, MasterCard and Visa, and is the standard used in chip and PIN bank cards. The banks’ basic stance is that EMV is secure. If their logs show that the customer’s PIN was used in a withdrawal, any claim from a customer that he or she made no such withdrawal is met with the suggestion that they are mistaken and the implication that they are lying. But, notes Mike Bond, one of the authors of the paper, “Many of these customers are credible witnesses and it is not believable that they are all mistaken or lying.”

The story starts some nine months ago when Bond was traveling back to the UK and examining the ATM withdrawal logs of one such customer. He noticed “that the unpredictable numbers… well… weren’t. Each shared 17 bits in common and the remaining 15 looked at first glance like a counter.” The unpredictable number (UN) is a key part of EMV authentication. “If you can predict it,” writes Bond, “you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location.”

The end result of this observation, nine months of research, analyses of more than 1000 of the team’s own transactions and even the purchase of three ATM machines from Ebay is this week’s paper: 'Chip and Skim: cloning EMV cards with the pre-play attack'. It shows that “a crook with transient access to a payment card (such as the programmer of a terminal in a Mafia-owned shop) can harvest authentication codes which enable a ‘clone’ of the card to be used later in ATMs and elsewhere.”

The paper explains that the discovered vulnerability was disclosed to the banks in early 2012, and the team received some informal responses. These included confirmation of existing suspicions, and even admissions of pre-knowledge of the problem. “If these assertions are true,” states the paper, “it is further evidence that banks systematically suppress information about known vulnerabilities, with the result that fraud victims continue to be denied refunds.”

The banks have downplayed any risk. A spokeswoman for the UK's Financial Fraud Action group told the BBC, "What we know is that there is absolutely no evidence of this complicated fraud being undertaken in the real world. It requires considerable effort to set up and involves a series of co-ordinated activities, each of which carries a certain risk of detection and failure for the fraudster.”

Anderson is not impressed. Brian Krebs reports him commenting, “They’re saying this is too complex a fraud for the average villain to conduct, but they always say that, and they said that about our PIN entry device compromise research in 2008, despite the fact that it was already happening in the field... this is following an established pattern by bank PR people of carefully denying it in ways that don’t stand up.”

The paper itself is unequivocal. It concludes, “Just as the world’s bank regulators were gullible in the years up to 2008 in accepting the banking industry’s assurances about its credit risk management, so also have regulators been credulous in accepting industry assurances about operational risk management...It is time for bank regulators to take an interest.”

What’s hot on Infosecurity Magazine?