Chip and PIN no longer secure – defences are smashed

12 Feb 2010

Researchers at Cambridge University have revealed that chip and PIN readers can be tricked into accepting transactions without a valid PIN number, and suggest that fraudsters are already on the case.

The research team from the University of Cambridge’s computer labs have found that the EMV – Europay, MasterCard and Visa – chip and PIN protocol is broken.

EMV is the dominant protocol used for smart-card payments worldwide, with more than 730 million cards in circulation.

Chip and PIN is used across Europe and is being rolled out in Canada. It secures credit and debit-card transactions by authenticating both the card and the customer presenting through a combination of cryptographic authentication codes, digital signatures and the entry of PIN.

Chip and PIN reader flaw

The flaw identified by Steven Murdoch, Saar Drimer, Ross Anderson and Mike Bond allows fraudsters to use a genuine card to make a payment without knowing the card’s PIN and to remain undetected even when the merchant has an online connection to a bank network.

The researchers conducted an attack that succeeded in tricking the card reader into authenticating a transaction, even though no valid PIN was entered.

In a subsequent test, they were able to authenticate transactions without the correct PIN using cards from six different issuers, including Barclaycard, Halifax, Bank of Scotland and HSBC.

They were able to crack the chip and PIN system using a general purpose FPGA board, a laptop and a smart-card reader.

They reckon the attack could easily be miniaturised and ported onto smaller hardware devices and would not require a PC at all. They even envision the creation of a ‘carrier’ card that hosts a cutout of the original card and interfaces with a microcontroller that communicates with the merchant’s terminal.

Problem with EMV protocol

The researchers pointed out that the central problem with the EMV protocol is that it allows the card and terminal to generate ambiguous data about the verification process that a bank will accept as valid.

Terminals may record that a PIN verification had taken place but the card itself receives a verification message that does not specify the PIN was used. As a result, the bank accepts authorisation and the transaction goes ahead.

They say in their paper: “Attacks such as this could help explain the many cases in which a card has supposedly been used with the PIN, despite the customer being adamant that they have not divulged it.

“So far, banks have refused to refund such victims, because they assert that a card cannot be used without the correct PIN: this paper shows that their claim is false.”

By John Kennedy

Photo: Chip and PIN readers can be tricked into accepting transactions without a valid PIN number, researchers at Cambridge University have found

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years