EMV protocol flaw allows 'pre-play' attacks against chip-enabled payment cards, researchers say

Cambridge university researchers find weaknesses in the EMV protocol that can facilitate cloning-like attacks for chip-and-PIN payment cards

Many automated teller machines (ATMs) and point-of-sale (POS) terminals fail to properly generate random numbers that are required by the EMV protocol to securely authenticate transaction requests, according to a team of researchers from the University of Cambridge in the U.K.

The use of defective random number generation algorithms make those payment devices vulnerable to so-called "pre-play" attacks that allow criminals to send fraudulent transaction requests from rogue chip-enabled credit cards, the researchers said in a paper released Tuesday.

The EMV (Europay, MasterCard and Visa) standard requires the use of payment cards with integrated circuits that are capable of performing specific cryptographic functions. These cards are commonly known as chip-and-PIN cards, EMV cards or IC (integrated circuit) cards.

EMV-compliant devices need to generate so-called "unpredictable numbers" (UNs) for every transaction request in order for the card issuers to verify the "freshness" of these requests.

Older versions of the EMV specification didn't provide clear instructions for how these random numbers should be generated and only required that payment devices generate four different consecutive UNs to be compliant.

"So, if you're a programmer, you can implement this as a counter," said Ross Anderson, professor of security engineering at Cambridge University and one of the paper's authors. "We found ATMs and PoS terminals where this is what they [the manufacturers] seem to have done."

The researchers analyzed UNs generated for over 1,000 transactions by 22 different ATMs and 5 PoS terminals in the U.K. and searched for patterns that would suggest the use of weak random number generation algorithms by those devices. They also reverse engineered ATMs acquired from eBay to inspect their UN generation algorithms.

When a payment device wants to initiate a transaction it sends the transaction details -- the amount, the currency, the date of the transaction, etc. -- to the EMV card inserted in its card reader together with a UN generated on the fly.

The card uses a secret encryption key that is securely stored on its chip to compute an authorization request cryptogram (ARQC) from the transaction data and the UN. The payment device then sends this cryptogram together with the encrypted PIN and the UN in plain-text form to the card issuing bank for verification.

The bank decrypts the ARQC and validates the information inside. It also compares the UN found inside the cryptogram with the plain-text one and if they match, it treats the transaction as fresh and authorizes it.

The payment device could end up generating predictable numbers instead of random ones due to a bad design, Anderson said.

It is better for the bank to generate the UN and send it to the card, he said. Then the card would use the unpredictable number and the transaction details to compute an ARQC, which would be sent back to the bank for verification.

If attackers can predict what UN a particular model of ATMs or payment terminals will generate at a future point in time, they can force genuine cards to compute ARQCs for transactions with a future date and then use those ARQCs with rogue chip cards.

In one scenario, for example, a customer goes into a coffee shop that happens to be controlled by a criminal gang and which uses payment terminals with maliciously modified firmware.

The customer would then insert his payment card into one of the rogue terminals in order to pay for his coffee. When this happens, the terminal would record the customer's payment card information and PIN and, in addition to initiating the legitimate payment, would force the card to generate an ARQC for a transaction with a future date and a specific UN.

In this case, the UN would be a number the attackers know that a particular ATM model will generate at a future point in time. After receiving the ARQC from the card, the rogue terminal wouldn't submit it to the card issuer for verification and wouldn't display anything on the screen.

A criminal would then be able to create a rogue card with information matching the customer's genuine card and program it with the pre-recorded ARQC. That card could later be used to withdraw an amount of money specified in the pre-generated ARQC when the time is right and the target ATM generates the predictable UN.

Pulling off this type of attack at a PoS terminal in the U.K. for example would not even require the correct PIN, Anderson said. PoS terminals don't send PINs to card issuers and validate them offline instead, by comparing them to values stored on the cards themselves. Since an attacker is using a rogue card they can program whatever PIN value they want on it and just type that at the PoS terminal, Anderson said.

What appears in the issuing bank's records as a result of a pre-play attack is no different from what would appear as a result of traditional card cloning attacks, a type of attack that the banking industry has repeatedly claimed cannot happen with EMV, Anderson said.

Fixing the UN generation algorithms would not prevent all pre-play attack scenarios, the researchers said in their paper. As long as the UNs are generated by the payment devices and not the card issuers, other attack methods are possible, as malware running on an ATM could sabotage the UN choice, the researchers said.

This research shows that when a customer disputes a transaction, the transaction logs from the acquiring bank and the merchant need to be taken into consideration in addition to the logs of the card issuing bank, Anderson said.

"We take anything of this nature extremely serious, but what we would say is that there is absolutely no evidence that this type of fraud is happening in the real world," said Mark Bowerman a spokesman for the UK Cards Association. "Part of the reason for that is that this is a very complicated and technically difficult attack to achieve."

Anderson disputes that. "We present the evidence in the paper," he said. "We gave them advance responsible disclosure of this. We discussed it with bank officials in February, so the industry has known about this and some insiders have admitted that they knew it was a problem."

In their paper, the Cambridge researchers said that they started researching possible issues with EMV unpredictable numbers after looking into the case of an HSBC Bank customer from Malta who was declined reimbursement for what the customer claimed were fraudulent transactions performed at an ATM in Palma de Mallorca, Spain in June 2011. In that case the transaction logs obtained from the bank revealed that UNs associated with the disputed transactions were predictable.

"Since we became aware of the contents of this paper, the industry has undertaken steps to ensure that this type of attack can't happen," Bowerman said. "In the unlikely event that it were to happen, and there's been no evidence to date that an attack of this nature has happened, anybody who's been an innocent victim of this fraud would get their money back from their bank."

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?