Cambridge University researchers looking into chip-and-PIN security say they successfully tricked a point-of-sale terminal into accepting a “dummy” PIN for a smart card using a “man-in-the-middle” attack.
In a research paper released this week, the researchers, who recently tested Visa Inc.’s and MasterCard Worldwide’s online security measures and found them weak (
“The card will then believe that the terminal did not support PIN verification and has either skipped cardholder verification or used a signature instead,” the report states. Neither the card nor terminal will spot this subterfuge because the cardholder verification code included in the terminal verification results is set only if PIN verification has been attempted and failed, the report continues.
Terminal verification result codes indicate what incidents occur during a transaction, such as showing whether a card is expired or the status of a PIN entry.
Researchers created a “man-in-the-middle” by using a dummy card connected to a computer linked to a computing chip able to communicate with the POS terminal. They successfully completed a transaction with the wrong PIN and withdrew funds from an account.
“This attack can be used to make fraudulent purchases on a stolen card,” the report says. “We have demonstrated that the live banking network is vulnerable by successfully placing a transaction using the wrong PIN.”
The researchers, Ross Anderson, Steven J. Murdoch, Saar Drimer and Mike Bond, will present the report in May at the IEEE Symposium on Security and Privacy in Oakland, Calif. They cite the complexity of the EMV specification as “a major contributing factor” for why these “protocol flaws” were not discovered earlier. EMV protocols cover 707 pages, plus an additional 2,126 pages for testing documentation, they say. Individual card brands also have specifications issuers must follow.
One preventive measure is to have the terminal read another bit of EMV code that includes the result of a PIN verification, the researchers says.
In a statement, the UK Card Association, an issuer trade group, discounted the likelihood of this type of attack on a chip-and-PIN transaction.
“We believe that this complicated method will never present a real threat to our customers’ cards. It requires possession of a customer’s card and, unfortunately, there are much simpler ways to commit fraud under these circumstances at much less risk to the criminal. This fraud is also detectable by the industry’s systems,” the statement says. “We will shortly announce fraud figures for 2009 that show that fraud committed on lost and stolen cards is at its lowest level for two decades.”
Neither MasterCard nor Visa representatives were available for comment by PaymentsSource’s deadline.
