EMV protocol flaw allows 'pre-play' attacks against chip-enabled payment cards, researchers say

Cambridge university researchers find weaknesses in the EMV protocol that can facilitate cloning-like attacks for chip-and-PIN payment cards

Many automated teller machines (ATMs) and point-of-sale (POS) terminals fail to properly generate random numbers that are required by the EMV protocol to securely authenticate transaction requests, according to a team of researchers from the University of Cambridge in the U.K.

The use of defective random number generation algorithms make those payment devices vulnerable to so-called "pre-play" attacks that allow criminals to send fraudulent transaction requests from rogue chip-enabled credit cards, the researchers said in a paper released Tuesday.

The EMV (Europay, MasterCard and Visa) standard requires the use of payment cards with integrated circuits that are capable of performing specific cryptographic functions. These cards are commonly known as chip-and-PIN cards, EMV cards or IC (integrated circuit) cards.

EMV-compliant devices need to generate so-called "unpredictable numbers" (UNs) for every transaction request in order for the card issuers to verify the "freshness" of these requests.

Older versions of the EMV specification didn't provide clear instructions for how these random numbers should be generated and only required that payment devices generate four different consecutive UNs to be compliant.

"So, if you're a programmer, you can implement this as a counter," said Ross Anderson, professor of security engineering at Cambridge University and one of the paper's authors. "We found ATMs and PoS terminals where this is what they [the manufacturers] seem to have done."

The researchers analyzed UNs generated for over 1,000 transactions by 22 different ATMs and 5 PoS terminals in the U.K. and searched for patterns that would suggest the use of weak random number generation algorithms by those devices. They also reverse engineered ATMs acquired from eBay to inspect their UN generation algorithms.

When a payment device wants to initiate a transaction it sends the transaction details -- the amount, the currency, the date of the transaction, etc. -- to the EMV card inserted in its card reader together with a UN generated on the fly.

The card uses a secret encryption key that is securely stored on its chip to compute an authorization request cryptogram (ARQC) from the transaction data and the UN. The payment device then sends this cryptogram together with the encrypted PIN and the UN in plain-text form to the card issuing bank for verification.

The bank decrypts the ARQC and validates the information inside. It also compares the UN found inside the cryptogram with the plain-text one and if they match, it treats the transaction as fresh and authorizes it.

The payment device could end up generating predictable numbers instead of random ones due to a bad design, Anderson said.

It is better for the bank to generate the UN and send it to the card, he said. Then the card would use the unpredictable number and the transaction details to compute an ARQC, which would be sent back to the bank for verification.

If attackers can predict what UN a particular model of ATMs or payment terminals will generate at a future point in time, they can force genuine cards to compute ARQCs for transactions with a future date and then use those ARQCs with rogue chip cards.

In one scenario, for example, a customer goes into a coffee shop that happens to be controlled by a criminal gang and which uses payment terminals with maliciously modified firmware.

The customer would then insert his payment card into one of the rogue terminals in order to pay for his coffee. When this happens, the terminal would record the customer's payment card information and PIN and, in addition to initiating the legitimate payment, would force the card to generate an ARQC for a transaction with a future date and a specific UN.

In this case, the UN would be a number the attackers know that a particular ATM model will generate at a future point in time. After receiving the ARQC from the card, the rogue terminal wouldn't submit it to the card issuer for verification and wouldn't display anything on the screen.

A criminal would then be able to create a rogue card with information matching the customer's genuine card and program it with the pre-recorded ARQC. That card could later be used to withdraw an amount of money specified in the pre-generated ARQC when the time is right and the target ATM generates the predictable UN.

Pulling off this type of attack at a PoS terminal in the U.K. for example would not even require the correct PIN, Anderson said. PoS terminals don't send PINs to card issuers and validate them offline instead, by comparing them to values stored on the cards themselves. Since an attacker is using a rogue card they can program whatever PIN value they want on it and just type that at the PoS terminal, Anderson said.

What appears in the issuing bank's records as a result of a pre-play attack is no different from what would appear as a result of traditional card cloning attacks, a type of attack that the banking industry has repeatedly claimed cannot happen with EMV, Anderson said.

Fixing the UN generation algorithms would not prevent all pre-play attack scenarios, the researchers said in their paper. As long as the UNs are generated by the payment devices and not the card issuers, other attack methods are possible, as malware running on an ATM could sabotage the UN choice, the researchers said.

This research shows that when a customer disputes a transaction, the transaction logs from the acquiring bank and the merchant need to be taken into consideration in addition to the logs of the card issuing bank, Anderson said.

"We take anything of this nature extremely serious, but what we would say is that there is absolutely no evidence that this type of fraud is happening in the real world," said Mark Bowerman a spokesman for the UK Cards Association. "Part of the reason for that is that this is a very complicated and technically difficult attack to achieve."

Anderson disputes that. "We present the evidence in the paper," he said. "We gave them advance responsible disclosure of this. We discussed it with bank officials in February, so the industry has known about this and some insiders have admitted that they knew it was a problem."

In their paper, the Cambridge researchers said that they started researching possible issues with EMV unpredictable numbers after looking into the case of an HSBC Bank customer from Malta who was declined reimbursement for what the customer claimed were fraudulent transactions performed at an ATM in Palma de Mallorca, Spain in June 2011. In that case the transaction logs obtained from the bank revealed that UNs associated with the disputed transactions were predictable.

"Since we became aware of the contents of this paper, the industry has undertaken steps to ensure that this type of attack can't happen," Bowerman said. "In the unlikely event that it were to happen, and there's been no evidence to date that an attack of this nature has happened, anybody who's been an innocent victim of this fraud would get their money back from their bank."

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts