With bank fraud and attacks against financial institutions and online banking applications having turned into an epidemic, researchers, banks and other concerned parties have been looking for new ways to protect the integrity of financial transactions. A researcher at the University of Cambridge working on the problem has developed a new device that can act as a trusted intermediary to ensure the validity of electronic transactions.
The device, called the Smart Card Detective, is a small, card-sized piece of equipment that, among other things, can be used to verify that the amount shown on a terminal screen is actually the amount of money that is debited from a user’s account. The device’s creator, Omar Choudary, said in an interview that he set out to create something that could serve just that main function of being a trusted terminal for electronic transactions, but soon figured out that the SCD could be used for any number of other tasks as well.
“The main idea was to protect users against card-reader attacks that display a lower amount on the terminal than it debits the account for,” said Choudary, who developed the SCD as part of his graduate work at Cambridge. “I wanted to do a device that intercepted the communications between the card and the terminal, so you have a trusted display. Then I realized it’s a general-purpose device that can do anything that the EMV protocol can do.”
EMV is the protocol that banks, retailers and financial institutions use for payment-card transactions in the U.K. and Europe. It’s based on the chip-and-pin concept, under which payments cards include a chip, rather than a magnetic stripe, that stores account information and can perform contactless payments. But in many transactions, the user still must provide a PIN. Fraudulent transactions in which an attacker has either compromised the payment terminal or installed a skimmer on the machine have become a major problem, and banks have made it difficult for users to recoup their losses in these cases when they’ve entered their PINs.
Choudary’s SCD addresses the problem by acting as a trusted link between the user’s card and the financial institution on the back end. The SCD comprises a board with a microcontroller and a small display, as well as a small printed circuit board that is roughly the size of a normal debit or credit card, connected to the microcontroller. To use the SCD, you insert a payment card into the card slot built into the board, and then you select the appropriate application on the LCD screen. Choudary built five separate apps into the SCD prototype, giving it the ability to store PINs, modify PINs, filter amounts and forward the commands from the terminal.
Once you select the application, you attach the printed circuit board to the terminal and proceed with the transaction. If you select filter amount, for example, the SCD will monitor the communication between the card and the terminal until the amount of the transaction is sent. The device then blocks the communication and shows the requested amount from the terminal on the SCD display. If it’s the correct amount, the user can press a button to complete the purchase; otherwise, he can press another button to terminate it.
Choudary’s SCD also implements the “no PIN” attack that was disclosed earlier this year by another group of researchers from Cambridge. The attack enables a user to make a transaction without a PIN, even though the transaction record will say that the PIN was used.
The modify PIN function is even more intriguing.
“The Store PIN application as its name suggests is used to store a PIN into the EEPROM
memory. This PIN is used by the Modify PIN application to modify the PIN that is transmitted in a transaction. In this way the user can make any transaction without ever typing the real PIN. To store the PIN I currently extract the necessary information from the VERIFY command. As a result the keypad of a terminal (including CAP readers) can be used to type the desired stored PIN,” Choudary wrote in his dissertation on the SCD.
The device also can be used to store transaction data as a way of verifying them later. Choudary said he has built two prototypes of the SCD, but is unsure of the actual commercial application for it.
“It might be usable for consumers as a way of doing protected shopping, like in a shop that you don’t trust and you think there might be a problem with the terminal,” he said. “But it can be quite difficult for people to carry another device around with them. I’d like to see it work as a research platform for other groups to find other problems.”