"As per the EMV standard, cash machines (ATMs) generate for each transaction a nonce "
The BBC has been running that standard for years in their payroll system, It's also known as the Yew Tree algorithm.
UK academics today describe how criminals can forge chip-and-PIN card transactions and spend other people's money for free. The team of University of Cambridge experts say their technique exploits a cryptographic weakness in some devices implementing the EMV (aka chip'n'PIN) standard. And they're confident they've found a …
Chip & PIN was better! Looks like it is only better for the banks which don't want you to dispute the transaction.
Sure the mag stripe and real-time feedback of authorization is not the "best", but when an industry says "fraud proof" we should ALL take a second look. Nothing is "fraud proof', but some things are better than others.
I'm not sure that C&P is any better (or worse) than Mag Stripes and real-time authorization. Oh, well....
As this is a major issue that many have said the banks love, it is time to forward this information to the banks and government to ensure that legislation and policies now reflect the fact that it is possible to clone chip and pin cards.
Wasn't the introduction to chip and pin debit cards first a great out for the banks to not investigate possible fraud and government pressure forced the banks to change their policy? It was reported on this site years ago.
Now that C&P is shown to be fully weakened, then the onus should be returned to the bank to investigate the claim.
What goes around comes around. I worked in IT supporting banking systems in the late 70s, early 80s when ATMs were first introduced and the banks then took exactly the same stance when people had begun to complain of duplicate and rogue transactions they had not made. i.e. "Our systems are infallible, the customer must be dishonest and it is up to them to find out which member of their family has stolen the money by borrowing the card and using the PIN."
I lost all respect for the banks when I had come home having spent the whole day monitoring comms between an ATM and the MF front end while we were trying to reproduce a duplicate transaction that we had actually seen happen before our very eyes. They knew all about it, and there was a spokesman on the news trotting out the "it is just not possible for our systems to duplicate tranactions, it must be one of the customer's family" routine. Sickening.
Some things don't change do they?
Basically, no. This vulnerability doesn't affect Internet banking because when Chip and PIN cards are used for Internet banking, random numbers (if they are used at all) are generated by the bank. The flaw is a result of the terminal generating the random number but the bank relying on it being random.
There are other issues with using Chip and PIN for online banking though: http://www.cl.cam.ac.uk/~sjm217/papers/fc09optimised.pdf
where I work we have two customers that we regularly do "Cardholder Not Present" transactions for, one is Visa and the terminal asks for Card No.,Transaction Amount,CVV,Address No. & Postcode No. - the transaction will authorise without the last two items being correct but will indicate as only verified for the security code.
The other card is AmEx and only asks for Card No. & Amount before authorising.
I know that the merchant is liable for CNP transactions, but AmEx doesn't even ask for the most basic of details to help prevent fraud, at least Visa make a token effort.
Even if the unpredictable number can be predicted, and the hacker/cloner successfully uses a future ATC (application transaction counter - another of the mandatory EMV fields), a hacker/cloner would need to know the clear base derivation key from the bank (which is never exposed in clear text), have an understanding of how to generate the transaction key for the appropriate card scheme being used and then be able to generate the correct ARQC for the fraudulent transaction for the it to be authorised by the bank - This paper is scaremongering...
"Let’s go back to the start. Alex Gambin had his wallet pickpocketed in Palma, Mallorca, and within an hour of the theft five ATM withdrawals had been made using his card totalling €1350, yet he never wrote down his PIN."
http://www.lightbluetouchpaper.org/2012/09/10/chip-and-skim-cloning-emv-cards-with-the-pre-play-attack/
There's no need to know the transaction key, because the ARQC is being generated by the genuine card. The attack scenario is that the victim uses a compromised Chip and PIN terminal, which requests an ARQC which is then used in a different terminal. For example, you might think you're paying a few pounds for a sandwich, but the ARQC is for a £500 ATM withdrawal.
"This paper is scaremongering..."
Like many academic papers this one is dealing in a large amount of theory based on observed facts. So while it may not be a widespread attack vector, it highlights that EMV has weaknesses and is therefore not 100% free from fraud.
OpenSSL was secure and verified by its open nature - until it turned out it wasn't. EMV is closed source, so who knows what vulnerabilities actually lie in the code.
What I think I am reading is that the problem is a partial implementation of the standards coupled with weak physical security.
Upgrading and or changing the standard isn't going to solve this.
Security standards have to be coupled with robust implementations and strong physical security to work.
Of course, this takes time and effort and money.
No, there software implementation is weak even if they have good physical security on the system. So it is still vulnerable.
Which doesn't mean they HAVE good physical security, only that the software problem exists independently. And if you have weak physical security, software security is more easily compromised.
Ok,
So if you break the card, and the ATM,m and the network, and they happen to be running non-random generators... you might get some money out of an account. Assuming it has some in the first place. If you can break all the above and implement your own code on ATM's etc then this is a pretty piss poor approach to getting your hands on some money. Just change the ATM code to puke all its money out to you there and then !
Two things.
1) When has the well educated Mr Ross Anderson ever produced a detailed design for an infallible payment system? (and why has he not copyrighted such and made a killing?),and
2) Where is the risk analysis and cost benefit. i.e. the cost to 'fix; the problems that seem to be endemic in the payments world versus the losses that also appear to be sustainable to the banks ?
Really folks. NOTHING in life is perfect. EVERYTHING costs something.And Mr Anderson should produce a good alternative rather than keep looking for ever more minute gaps that obviously do not amount to any risk (cost value) greater than the exposure (cost value).
I don't know why the Register article reported this in the context of just ATMs but reading the original post this appears to be a vulnerability of any Chip and Pin authenticated transaction.
Acquiring access to a remote chip and pin terminal in a restaurant, modifying it and intercepting the communication back to base is not likely to be beyond the means of many criminal gangs and frausters.
As for Mr Ross Anderson reading his blogs I believe his big problems is the fact that banks will routinely lie to customers and claim that chip and pin is infallible (and therefore it is up to the customer to prove that its not their fault) even though there is concrete proof that there are ways to defeat it and therefore the onus should be on the bank to prove that the customer is lying.
if the banks admitted that it isn't perfectly secure and took on the costs of refunding customers when the security is breached then that would be acceptable. At the moment they claim it is secure when they know it isn't, then pass on the costs to the customer who has been defrauded. Because the costs are being externalized to the customer the bank then don't have any benefit to improving the system - until research like this allows their statements to be challenged in court as effectively being fraudulent.
Gosh, who would have thought that using a weak PRNG to generate a nonce might be a problem? It's not like that's ever happened before.
Just another case of people who don't know what they're doing and can't be bothered to learn.
Or they're willfully ignorant, like Mr "ex RBS employee" up there. Tell you what, Mr employee: when you can explain to us, in a cogent and informed fashion, why Anderson's classic text Security Engineering, particularly chapters 7 and 25, do not answer your challenges regarding security economics and risk assessment, then I'll consider your opinion worth something.
Read those chapters thanks. Learned how to suck eggs a tiny bit better.
Really. Come on.
My point still stands - where is the perfect solution that (obviously) only someone as experienced in the commercial world as Mr Anderson can actually deliver ?
Just asking ...
It is always easier to find faults than to give recommendations. I recommend that a proper risk analysis (with stress testing scenarios and full Regulatory, Financial, Customer, Reputational impacts) be included in these theory papers from the Cambridge team.
Don't misunderstand me here. I am keen to see faults and holes identified in any product or service that affects me. I just wish Mr Anderson worked on his approach to delivering the messages such that we could all benefit from his research... rather than just scaremongering and self-image.