Chip and pin 'weakness' exposed by Cambridge researchers

  • Published
Chip and pin machine
Image caption,
Researchers said cards could effectively be cloned by exploiting the security flaw

A vulnerability in the widely used chip and pin payment system has been exposed by Cambridge University researchers.

Cards were found to be open to a form of cloning, despite past assurances from banks that chip and pin could not be compromised.

Poor implementation of cryptography methods were behind the flaw, researchers said.

They accused some banks of "systematically" suppressing information about the vulnerabilities.

Pre-play attack

The team's research was presented at a cryptography conference in Leuven, Belgium, on Tuesday.

The paper said despite chip and pin being in use for over a decade, it was only recently "starting to come under proper scrutiny from academics, media and industry alike".

Each time a customer is involved in a chip and pin transaction, be it withdrawing cash or purchasing goods in a shop, a unique "unpredictable number" is created to authenticate the transaction.

The unpredictable number (UN), generated by software within cash points and other similar equipment, is supposed to be chosen at random.

But researchers discovered that in many cases lacklustre equipment meant the number was highly predictable, because dates or timestamps had been used.

"If you can predict [the UN], you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location," said researcher Mike Bond in a blog post.

"You can as good as clone the chip. It's called a pre-play attack."

'Explicitly aware'

"The sort of frauds we're seeing are easily explained by this, and by no other modus operandi we can think of," researcher Prof Ross Anderson told the BBC.

"For example, a physics professor from Stockholm last Christmas bought a meal for some people for 255 euros ($326, £200), and just an hour and a half later, there were two withdrawals of 750 euros made from a nearby cash machine used by what appears to have been a clone of his card."

Image caption,
The chip and pin system is used by more than a billion cards worldwide

The researchers said they had been in contact with leading banks to detail the risks, but some had been "explicitly aware of the problem for a number of years".

"The extent and size of the problem was a surprise to some," the report said.

"Others reported already being suspicious of the strength of unpredictable numbers."

The paper added: "If those assertions are true, it is further evidence that banks systematically suppress information about known vulnerabilities, with the result that fraud victims continue to be denied refunds."

The team called for greater scrutiny from financial authorities into the security systems in use by banks.

In a statement given to the BBC, a spokeswoman for the UK's Financial Fraud Action group said: "We've never claimed that chip and pin is 100% secure and the industry has successfully adopted a multi-layered approach to detecting any newly-identified types of fraud.

"What we know is that there is absolutely no evidence of this complicated fraud being undertaken in the real world. It requires considerable effort to set up and involves a series of co-ordinated activities, each of which carries a certain risk of detection and failure for the fraudster.

"All these features are likely to make it less attractive to a criminal than other types of fraud."

Man-in-the-middle

Chip and pin is the leading processing and authentication method for credit and debit card payments, with many more than a billion cards in use worldwide.

Believed to be far more secure than previous technology, such as a magnetic strip, adoption of chip and pin had led to banks becoming more aggressive when dealing with compensation claims, the researchers said.

A British Crime Survey carried out in 2008-9 indicated 44% of fraud victims were not fully compensated. Of the 44%, 55% lost between £25 and £499, and 32% lost £500 or more.

However, refusal to offer compensation in some cases led to further investigation and vulnerabilities being discovered.

Prior research from the same team demonstrated how a relatively simple man-in-the-middle device - one that sits between two components in a process, such as a card and a chip and pin machine - can trick the system into thinking the correct pin has been entered.

In addition, malware attacks on terminals can put them at risk of being hijacked.