A flaw in the EMV protocol which lays out the rules for chip-and-PIN card transactions at ATMs and point-of-sale terminals could enable persistent attackers to carry out bogus card transactions.
Five Cambridge (UK) University researchers released a paper today with the gory details. Foremost among them is a bug that lies in the EMV (Europay, MasterCard, Visa) protocol, part of which requires an “unpredictable number” (UN) be part of the authentication chain in ATM and PoS transactions. As the researchers disovered from analyzing more than 20 ATMs from different manufacturers, five different PoS terminals, and more than 1,000 transactions, programmers may not be using cryptographic random number generator algorithms to create UNs, and instead may be using counters, timestamps or homegrown algorithms that are not so random. Determined attackers could collect the data and accurately predict when a machine would generate a particular “unpredictable number” and carry out a transaction.
“It’s the fault of the EMV spec for encouraging programmers to use a counter; to pass conformance all your terminal must do is to generate four successive UNs that are different,” said Ross Anderson, one of the authors of the paper. “The obvious way to code this is as a counter.”
Anderson and fellow researchers Mike Bond, Steven J. Murdoch, Omar Choudary and Sergei Skorobogatov also point out a second flaw in the EMV spec in that it does not require the identity of the terminal, only the terminal country code, something the paper said is trivial to predict.
These two snafus create a scenario in which what the researchers called a pre-play attack is possible. In a pre-play attack, if the attacker is able to physically collect and analyze transactions, or collect them by infecting a terminal with malware that sends the data remotely, they can take the authentication data at a particular time and re-use it later at atime pre-determined by the counter.
“If you can recruit a few hundred terminals to your botnet, sure [the attack will scale quickly],” Anderson said. “And bank Trojans are already doing this. At present, they mostly seem to just harvest credit card numbers, CVVs and expiry dates, but just you wait!”
Pre-play attacks could be viable for years, even if the algorithm generators are fixed (the researchers notified all the affected manufacturers prior to the release of their paper). The paper points out that a random number generator manufacturer could rig the algorithm to act predictably all the time or when triggered; this scenario would be difficult to detect, the paper said. Also, merchants could inject replayed card data into the authorization system, or collude with attackers and allow them to tamper with PIN pads, replacing them with skimmers, or monitor transactions on the wire via a man-in-the-middle attack. MITM attacks with devices sitting between the POS device and the bank, or on the network, would be effective against high-value transaction targets, the paper said.
“The key shortcoming at the EMV protocol level is that the party depending upon freshness in the protocol is not the party responsible for generating it. The issuing bank depends on the merchant for transaction freshness. The merchant may not be incentivised to provide it, may not be able to deliver it correctly due to lack of end-to-end authentication with the issuer, and might even be collusive (directly or indirectly),” the paper said.
The EMV protocol has deeper penetration in Europe and Asia than in North America, but that’s changing. EMV, which requires a smart card chip embedded in a payment card, and a user’s PIN to authenticate a transaction, was supposed to be the cure for card skimming. Skimmers fit over card slots on ATMs and payment termains and steal card strip data. Chip data is much harder to steal, the paper pointed out.
Banks, meanwhile, are standing firmly behind EMV and chip-and-PIN and are refusing to refund customers protesting fraudulent transactions; banks are telling customers EMV is secure and they either are mistaken about a transaction, or are lying. Meanwhile, many wouldn’t have the mechanisms or procedures to patch PIN entry devices in the field in the need arose, Anderson said.
“What most urgently needs to change is the attitude toward customer complaints,” Anderson said. “Better consumer protection would stop cardholders being blamed for frauds in which they were not complicit, and it would give the banks the proper incentive to have stuff fixed.”