[Update: added some extra links at http://avien.net/blog/?p=422]

Here, so to speak, is a bit of hot potato*.

Flippancy notwithstanding, this isn't really funny. For several years now, Brits have enjoyed a banking card system called chip and PIN, a simple form of two-factor authentication for in-person credit and debit card transactions. In countries where the system is in force, the customer has to authenticate his or her self in two ways:

  • Something they have (the card)
  • Something they know (the PIN, a four-digit Personal Identification Number).

In principle, this is somewhat more secure than the older system where you present a card and sign a slip. The system came into being in the UK on February 14th 2006. In the years since, there have, of course, been myriad attempts to bypass the system, some more successful than others. For example, the BBC programme Newsnight demonstrated a technique two years ago for intercepting communications between the card and terminal, and harvesting enough information to clone the card. Nonetheless, the system has had an appreciable impact on the types of attack it was originally intended to eliminate. Of course, it has by no means eliminated card fraud using other attacks: fraudulent activity has been displaced, not suppressed.

And now, Ross Anderson, a Cambridge (UK) security researcher of considerable experience and reputation, reports that research by "Steven Murdoch, Saar Drimer, Mike Bond and [Anderson himself] ... demonstrate[s] a middleperson attack on EMV [Europay, MasterCard and Visa] which lets criminals use stolen chip and PIN cards without knowing the PIN."

Their research paper describes how  "a man-in-the-middle device, which can intercept and modify the communications between card and terminal, can trick the terminal into believing that PIN verification succeeded by responding with 0x9000 to Verify, without actually sending the PIN to the card. A dummy PIN must be entered, but the attack allows any one to be accepted."

Anderson's post at http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/ addresses some misconceptions about the paper (which has been circulating in the banking industry for two months) that have already caught press attention.

  • The attack can be used online, where the merchant POS (Point Of Sale) terminal contacts the bank as well as offline.
  • The attack isn't restricted to small transactions below "floor limit"
  • The attack doesn't work with a card that's been cancelled, and it doesn't work with ATMs (cash machines)
  • The problem is known to apply to card schemes based .on the EMV protocol: the group don't know if it applies to less widely-used standards.

Banks don't refund losses where records show that a chip and PIN card has been used with the PIN, on the grounds that such a card can't be used without the PIN. Clearly, this isn't true, though it's not possible to say how many customers have been wrongly denied recompense.

The paper describes one way in which banks can fix the attack described while maintaining backwards compatibility with existing systems, and hopefully they've been working on that in the past two months. It concludes:

However, it is clear that the EMV framework is seriously flawed. Rather than leaving its member banks to patch each successive vulnerability, the EMV consortium should start planning a redesign and an orderly migration to the next version. In the meantime, the EMV protocol should be considered broken.

The sky hasn't fallen: this isn't an attack that anyone who happens to find a credit card can use. But it's a bit too close for comfort, and if the US Federal Reserve succeeds in persuading US banks to adopt EMV, it's going to matter far beyond the shores of the little island I happen to live on.

In the meantime, any bank claiming that a PIN-authenticated transaction must have been either kosher or the customer's fault should now expect to have to be able to prove its process is sound.

*A brief transatlantic translation note:

  • Chips in the UK are what USians call fries.
  • Chips in the US are what Brits call crisps.
  • To have had ones chips in the UK is more or less equivalent to having cashed in one's chips, or having bought the farm

[Hat tip to Sorin Mustaca for flagging this story.]

David Harley CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or http://twitter.com/ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macvirus.com/