September 30, 2016

In brief: Chip and pin random numbers not random enough

(LiveHacking.Com) – A vulnerability in the chip and pin payment system has been discovered by Cambridge University researchers. The chip and pin system is used throughout Europe and much of Asia, and is starting to be introduced in North America too.

As part of the system the payment card contains a chip that understands the system’s authentication protocol. As part of the protcol the point-of-sale (POS) terminals or the ATMs need to generate a random number for each transaction. However the team have discovered that some POSs and ATMs merely  used counters, timestamps or home-grown algorithms to generate this number.

The vulneravility leaves the system open to “pre-play” attacks which are indistinguishable from card cloning attacks.

The team’s research was presented at a cryptography conference in Leuven, Belgium, on Tuesday.

“If you can predict [the UN], you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location,” said researcher Mike Bond in a blog post. “You can as good as clone the chip. It’s called a pre-play attack.”

The Cambridge team have been in contact with leading banks to explain the risks to them, but they discovered that some had been “explicitly aware of the problem for a number of years”.

“The sort of frauds we’re seeing are easily explained by this, and by no other modus operandi we can think of,” researcher Prof Ross Anderson told the BBC. “For example, a physics professor from Stockholm last Christmas bought a meal for some people for 255 euros ($326, £200), and just an hour and a half later, there were two withdrawals of 750 euros made from a nearby cash machine used by what appears to have been a clone of his card.”

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks