Transaction security at the point of sale is the centerpiece of EMV-based payments. But are the smart chips in the cards all that secure?
Apparently not. At least that’s the contention of University of Cambridge researchers who say they found two serious problems with the chips that could make them vulnerable to “pre-play” attacks, which are indistinguishable from the very card cloning the cards are designed to prevent.
Such problems also bring into play whether the U.S. payment card industry is rushing too quickly in supporting a decades-old technology as one of the chief strategies for combating counterfeit card fraud. Some, including Market Platform Dynamics CEO Karen Webster, just aren’t seeing the logic in the pursuit.
The four major card brands in October 2015 will shift the liability for counterfeit card fraud to the issuer or the merchant, whichever can’t support an EMV transaction at the time a card is presented for payment. The same shift will apply to petroleum retailers two years later.
While no one considers EMV an end-all solution to payment fraud, mobile solutions and sophisticated cards that include biometric elements are available today that could provide more-advanced security to keep up better with the highly sophisticated attacks being level by fraudsters today, EMV skeptic say.
EMV cards issued today also contain magnetic stripes, which are vulnerable to skimming attacks used to produce counterfeit cards. However, mag stripes on EMV cards contain codes notifying clerks to use the chip on the card, and the codes also make skimmed mag-stripes on the cards unusable for the same reason.
At the center of the security flaws the Cambridge research found is the “nonce,” or the unpredictable 32-bit number used in EMV ATM and point-of-sale transactions to signify they’re fresh and can’t be reused again by fraudsters. Some EMV implementers, the researchers found, have used simple counters, timestamps or homegrown algorithms to supply the nonce.
“This exposes them to a “pre-play” attack, which is indistinguishable from card cloning from the standpoint of the logs available to the card-issuing bank, and can be carried out, even if it is impossible to clone a card physically,” the study report notes, noting flaws were found in ATMs from major manufacturers.
PYMNTS.com reached out to the two leading bank-ATM manufacturers, Diebold and NCR, for a reaction. Neither was mentioned directly in the report.
Diebold, which wasn’t mentioned in the report, said it would take time to review the whole study, but it will certainly review it in the context of the company’s EMV-related offerings and draw some conclusions from which it might implement improvements. “Maintaining security at the ATM is a constant process that requires effective protocols at multiple layers – from the manufacturer, to the deployer, to the servicer and even to the user,” a company spokesperson said in an emailed statement. “We closely monitor all attacks against Diebold and other vendors’ ATMs, as well as review academic studies such as this to enhance our security capabilities, and will continue to deliver solutions to combat emerging threats.”
NCR did not provide a reaction comment by deadline.
The other flaw is a protocol failure, where attackers can replace the actual random number the terminal generates with one they used earlier when capturing an authentic code from the card, according to the report. Malware in an ATM or POS terminal can carry out this variant of the pre-play attack, as could a “man-in-the-middle” between the terminal and the acquirer, the researchers said.
The findings should not come as a surprise to technology and security experts, as they were disclosed some time ago. Since that time, banks have only partially responded with fixes, the report notes.
“More than a year after our initial responsible disclosure of these flaws to the banks, action has only been taken to mitigate the first of them, while we have seen a likely case of the second in the wild, and the spread of ATM and POS malware is making it ever more of a threat,” the report notes.