14 DAY TRIAL // Researchers from the University of Cambridge have identified a flaw that could allow fraudsters to clone EMV chip-and-PIN payment cards. Mike Bond, Omar Choudary, Steven Murdoch, Sergei Skorobogatov and Ross Anderson have written a paper on the topic, which they’ll present in detail at an upcoming conference in Belgium.
According to the experts, EMV cards authenticate themselves with a MAC of transaction data which has a component called unpredictable number (UN). As it turns out, this unpredictable number is rather predictable.
The UN is stored in a 32 bit field formed of 17 common bits and 15 that are “like a counter.” Because these 15 bits follow a certain pattern, instead of being totally random, they’re not so difficult to crack.
The researchers state that the issue is caused by the fact that banks, ATM and point-of-sales (POS) device manufacturers have poorly implemented the protocols in charge of setting the UN.
The worrying part is that anyone who knows the UN is able to clone it in what’s called a “pre-pay attack.” Even more worrying is the fact that there are some indications that fraudsters are aware of this weakness, so far this being the most plausible explanation for a lot of the mysterious fraudulent withdrawals.
The bug was uncovered while the experts were investigating some ATM withdrawals disputed by a customer of HSBC in Malta.
So far they’ve tested their theory by performing over 1,000 transactions at over 20 ATMs and a number of POS terminals. The analysis of the data revealed the “non-uniformity of unpredictable numbers” in half of the devices they tested.
Another noteworthy finding is that the crooks don’t even have to predict the numbers. Instead, they could hack into the software of POS terminals and payment switches and “superimpose” their own UN.