Researchers in the United Kingdom say they have mounting evidence that thieves have been quietly exploiting design flaws in a security system widely used in Europe and Australia to prevent credit and debit card fraud at cash machines and point-of-sale devices.
At issue is an anti-fraud system called EMV (short for Europay, MasterCard and Visa), also known as "chip-and-PIN". The cards include a secret algorithm embedded in the chip that encodes the card data, making it more difficult for fraudsters use stolen cards at EMV-compliant terminals.
Chip-and-PIN is widely supported in Australia, where major card brands work with banks and ATM and payment terminal makers to support the technology.
EMV standards call for cards to be authenticated to a payment terminal or ATM by computing several bits of information, including the charge or withdrawal amount, the date, and a so-called "unpredictable number". But researchers from the computer laboratory at Cambridge University say they discovered some payment terminals and ATMs rely on little more than simple counters, or incremental numbers that are quite predictable.
"The current problem is that instead of having the random number generated by the bank, it's generated by the merchant terminal," said Ross Anderson, professor of security engineering at Cambridge, and an author of a paper being released this week titled, Chip and Skim: Cloning EMV cards with the Pre-Play Attack.
Anderson said the failure to specify that merchant terminals should insist on truly random numbers, instead of merely non-repeating numbers — is at the crux of the problem.
"This leads to two potential failures: If the merchant terminal doesn't a generate random number, you're stuffed," he said in an interview. "And the second is if there is some wicked interception device between the merchant terminal and the bank, such as malware on the merchant's server, then you're also stuffed."
The "pre-play" aspect of the attack mentioned in the title of their paper refers to the ability to predict the unpredictable number, which theoretically allows an attacker to record everything from the card transaction and to play it back and impersonate the card in additional transactions at a future date and location.
Anderson and a team of other researchers at Cambridge started their research more than nine months ago, when they first began hearing from European bank card users affected by fraud — even though they had not shared their PIN with anyone.
The victims' banks refused to reimburse the losses, arguing that the EMV technology made the claimed fraud impossible. But the researchers suspected that fraudsters had discovered a method of predicting the supposedly unpredictable number used by specific point-of-sale devices or ATMs models.
For example, the team heard from a physics professor in Stockholm who went to Brussels and bought a meal at a nice restaurant for 255 euros, and immediately after midnight that evening had his card debited with two transactions of 750 euros each at another payment terminal nearby.
Anderson said the team had "lots and lots of victims" coming to them (several others are mentioned in the group's blog post on the paper), complaining of being ripped off and then denied help from their banks. The researchers say they notified the appropriate banking industry organisations of their findings in early 2012, but opted to publish their work because it they believe it helps to explain good portion of the unsolved phantom withdrawal cases reported to them for which they previously had no explanation.
"The point here is that when a bank turns down a customer because [a fraudulent transaction] looks like cloning and cloning isn't possible because the card has a tamper resistant chip, we show that this kind of logic doesn't stand up," Anderson said.
The research team said their work is informed by data collected from more than 1000 transactions at more than 20 ATMs and a number of point-of-sale terminals. They also purchased three EMV-enabled ATMs off of eBay, and began systematically harvesting unpredictable numbers from them in hopes of finding predictable random number generators. Their research on this front is ongoing, but so far the group says it has established non-uniformity of unpredictable numbers in half of the ATMs they looked at.
In response to inquiries from the BBC, a spokeswoman for the UK's Financial Fraud Action group downplayed the threat, telling the publication: "We've never claimed that chip and pin is 100 percent secure and the industry has successfully adopted a multi-layered approach to detecting any newly-identified types of fraud. What we know is that there is absolutely no evidence of this complicated fraud being undertaken in the real world. It requires considerable effort to set up and involves a series of co-ordinated activities, each of which carries a certain risk of detection and failure for the fraudster."
Anderson says the industry's response is typical.
"They're saying this is too complex a fraud for the average villain to conduct, but they always say that, and they said that about our PIN entry device compromise research in 2008, despite the fact that it was already happening in the field. The second thing they're saying is they have no evidence of real cases. And that's exactly what they said in 2010, when we released our no-PIN fraud research. But we later learned that the UK cards association did at the time know that there were no-PIN frauds going on in France to the tune of about a million euros. Then when we went back and said, 'Aha, we've got them for making false statements,' it turned out that they'd written their statement very carefully to say they had no evidence of this happening in Britain, not no evidence of this happening full-stop. So this is following an established pattern by bank PR people of carefully denying it in ways that don't stand up."
A copy of the research paper is available here (PDF).