Security researchers from Cambridge University have discovered a way to attack the chip and PIN cards.
Since the introduction of mandatory chip and PIN cards in the UK, there are reports that banks have increasingly turned away fraud victims on the grounds that such chip-embedded smartcards cannot be cloned.
The new cards have been heralded as the future of card security, with Westpac issuing them to customers and more banks are set to roll out the cards once the terminals that are compatible are deployed in Australia.
Cambridge PhD students and security researchers, Steven J Murdoch and Sarr Drimer, have shown that it the new cards can be easily cloned – causing a situation that have ruffled the feathers of banks, which rely on the Banking Code of Practise to deny compenstation.
The ability to reject the claims relies on the idea that cloning is the only manner in which fraud occurs on the smartcard only, in which the UK banks say it’s simply impossible.
“The banks have made grand claims of security [about chip and PIN]. It was said to be a safer way to pay but when you speak to the banks as a victim of fraud, they say there is no way to clone the chip and PIN card,” said Murdoch.
“What I’m going to show is that you don’t need to clone it in order to attack the system.”
By tampering with a chip and PIN terminal, Murdoch used a “relay attack” to capture the authentication information sent from the merchant’s POS terminal to the bank. However, the attack requires the involvement of at least two people for it to work. But, once the information is obtained, the fake transaction must occur within the time that the card is being read by the terminal.
While cloning is impossible, according to the banks, Murdoch shows that the authentication can be spied via the terminals compromised and can be transmitted over Bluetooth, GPRS or GSM networks to another person who completes the transaction.
Murdoch previously alerted the banks to the possible exploit a few years ago, but the idea was dismissed as a joke.
He has also offered four suggestions that this could be stopped: make the terminal tamper-resistant, physically examine the card to check for wires as that can indicate that the card is fraudulent, ensure the numbers embossed on the card’s front are the same on the receipt, or impose timing constraints on the authentication as the attack must occur during the time in which the transaction is happening to work.
The problem could be fixed by what scientists are calling “distance bounding protocol” in which the bank sends out a single bit challenge that only a legitimate card can unlock.