Researchers at the University of Cambridge in Cambridge, England, said they've found a substantial security flaw in the Europay/MasterCard/Visa (EMV) chip and PIN payment system that might underlie numerous European fraud cases. EMV is often cited as the world's gold standard for safeguarding consumer data.
In their report, Chip and PIN is Broken, researchers Steven J. Murdoch, Saar Drimer, Ross Anderson and Mike Bond describe how they devised a "man-in-the-middle attack" to foil payment acceptance terminals. Using a contraption rigged with wires connecting a replica payment card to a laptop PC and other hardware, the researchers conducted successful transactions without entering the legitimate PIN information required of almost all EMV purchases.
In their paper, the researchers speculate that high levels of U.K. fraud may relate to fraudsters' employment of a similar strategy.
"Interestingly, an increasing number of complaints from believable witnesses indicate that their EMV cards were fraudulently used shortly after being stolen, despite there having been no possibility that the thief could have learned the PIN. ... The attack we describe here may explain some of those cases," the report says.
Essentially, the man-in-the-middle attack works by manipulating the communications between payment card and terminal that are used to verify transactions, making proper PIN entry (a cornerstone of the EMV system) unnecessary.
Normally, when a cardholder keys in his or her PIN, the terminal sends that number to the inserted payment card (on which the PIN of record is stored) for verification; the card then returns a transaction code that either verifies or repudiates the entered PIN number.
The attack described in the Cambridge paper uses an electronic "wedge" that prompts the card to return the correct authorization code, regardless of the PIN number entered. The maneuver exploits what the paper's authors say is a basic flaw in the EMV system: only the approval code is sent to the issuer for back-end transaction verification, not the entered PIN. So no matter what PIN is entered in the attack (it can be any four-digit number), the transaction gets verified based on the approval code.
"A lack of authentication of the PIN verification response, coupled with an ambiguity in the encoding of the result of cardholder verification ... allows an attacker with a simple man-in-the-middle to use a card without knowing the correct PIN. This attack can be used to make fraudulent purchases on a stolen card," the report states.
Yet while the authors conclude that "it is clear that the EMV framework is seriously flawed," some observers downplayed the significance of their findings.
The Smart Card Alliance, a nonprofit organization that promotes the adoption of smart card technology, cited a list of factors that it said would limit the real-world impact of the Cambridge strategy, should criminals try to deploy it.
Among them are the technical sophistication required for such attacks, the likelihood of merchants detecting a device that requires several pieces of hardware connected by wires (in the Cambridge experiment, a researcher kept a laptop and other connective hardware in a backpack and ran the connecting wire up his shirt sleeve), and the availability of countermeasures.
Tim Cranny, President and Chief Executive Officer of Panoptic Security Inc., agreed that the man-in-the-middle attack would require a level of sophistication not possessed by ordinary criminals and that the Cambridge report does not undermine the essential sturdiness of chip and PIN.
"This wasn't some fundamental invalidation of the whole idea of chip and PIN," he said. "It's just that, if you build a complicated machine, sometimes there's one nut that needs tightening."
Cranny believes the Cambridge project underscores a more general point about securing consumer data.
"Until recently, you hear a lot of people saying the answer to security is chip and PIN or the answer is this or that, and this is just another example that people really need to keep in mind there are no silver bullets," he said.
"But part of the problem is they can't just sit down and fix the problem. It just takes root, and you've got to deploy this and roll it out and so on. It's a big systemic fix and that takes time and has its own costs associated with it."
David Fish, Senior Analyst for payments consultancy Mercator Advisory Group, said the Cambridge study could have profound legal repercussions. In England and other countries operating under the EMV system, consumers are often liable for transactions even when they claim fraud or otherwise disavow a purchase, Fish said.
The assumption has long been that the use of a PIN code theoretically known only to the card's owner means either that person made a given purchase or negligently revealed his or her PIN to someone else. According to Fish, the Cambridge study could change that thinking, potentially shifting the liability for disputed purchases away from consumers and onto acquirers (and, in turn, merchants).
"The macro-implications for payments industry folks is we're looking at a situation where chip and PIN cardholders are liable for any transactions conducted with PIN, and banks essentially absolve themselves of any liability," Fish said. "It could expose acquirers to very significant losses if [issuing] banks changed their behavior and started indemnifying cardholders for PIN-based transactions that are fraudulent in actuality."
Cranny said the Cambridge report would likely affect payments industry discourse in the United States as well, particularly the longstanding debate about whether the United States should consider its own shift to a PIN-oriented payments system.
"It will tamp down on people claiming we must move urgently (to chip and PIN) because it's paradise once you get there and nothing will go wrong," Cranny said. "That is not to say it wouldn't be a vast improvement on the current state of the art.
"There's obviously vast entrenched interests with the card solution infrastructure - people who are actively fighting changes. If I had my money bet on keeping the status quo, especially if I'm sitting in meetings where people are talking about chip and PIN being invulnerable, this stuff is music to my ears. ... But again, there's a kernel of technical truth and security truth here that's wrapped in a pretty thick layer of politics and economics and inertia."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next