Bank Cards Vulnerable to Undetectable “Pre-Play” Attacks
Popular Chip and PIN bank cards are vulnerable to “pre-play” attacks, a type of card cloning fraud which can’t be detected by regular banking procedures, a new study by University of Cambridge researchers reveals.
It seems the EMV “Chip and PIN” standard, widely-implemented for 1.62 billion payment cards, can be exploited to empty people’s accounts. A cryptographic weakness allows the hacker to perform a man-in-the-middle attack and intercept the unique authentication code required by an ATM to complete a transaction. The 32-bit number can be easily predicted as half of the ATMs and merchant terminals analyzed generate them through counters or timestamps.
A second protocol flaw gives the attacker the opportunity to replace the otherwise random number with the intercepted code.
To carry out the attack, after gaining temporary access to the card, the attacker requests authentication codes corresponding to the so-called random number. He then intercepts a second terminal’s communication with the bank and loads the known authentication code on to the cloned card to empty the victim’s account.
Since the authentication codes on clone card match those the real card would have provided, the bank can’t recognize the fraudulent transaction, the study says.
Cambridge researchers said they have proven the EMV system is not hacker-proof. “We are now publishing the results of our research so that customers whose claims for refunds have been wrongly denied have the evidence to pursue them, and so that the crypto, security and bank regulation communities can learn the lessons,” they said.
During their experiment, the researchers found flaws in widely-used ATMs from most manufacturers.