At a cryptography gathering in Leuven, Belgium, on Tuesday, Cambridge University researchers made it known that they do not like what they see in chip and pin systems. The chip and PIN system employed by most European and Asian banks is definitely more secure than the magnetic strip one, but it doesn’t mean that it doesn’t have its flaws.
A flaw in the EMV protocol which lays out the rules for chip-and-PIN card transactions at ATMs and point-of-sale terminals could enable persistent attackers to carry out bogus card transactions. Five Cambridge (UK) University researchers released a paper today with the gory details.
Bank cards are reportedly vulnerable to a form of cloning and researchers have pinpointed the poor implementation of cryptography methods in ATM machines as being the reason for the flaw.
The chip in an EMV card is there to execute an authentication protocol, and is itself very difficult to clone. However, the authentication process also relies on the merchant’s point-of-sale kit, or an ATM, generating a completely random number to prove the uniqueness of the transaction. They discovered a flaw with the so called unpredictable number (UN), generated by software within cash point machines and other similar equipment. The researchers warned that this random number is not so random, and is even possible sometimes to predict.
“The UN (unique number) appears to consist of a 17 bit fixed value and the low 15 bits are simply a counter that is incremented every few milliseconds, cycling every three minutes,”
“We wondered whether, if the ‘unpredictable number’ generated by an ATM is in fact predictable, this might create the opportunity for an attack in which a criminal with temporary access to a card (say, in a Mafia-owned shop) can compute the authorization codes needed to draw cash from that ATM at some time in the future for which the value of the UN can be predicted.”
Banks, meanwhile, are standing firmly behind EMV and chip-and-PIN and are refusing to refund customers protesting fraudulent transactions, banks are telling customers EMV is secure and they either are mistaken about a transaction, or are lying. Meanwhile, many wouldn’t have the mechanisms or procedures to patch PIN entry devices in the field in the need arose.