In March this year, we reported that the major card distributor companies, VISA and Mastercard are migrating to EMV chip cards, also known as PIN-and-Chip cards. Unlike traditional magnetic stripe payment cards, EMV chip cards generates a unique code for every transaction, making it nearly* impossible for criminals to use the card for counterfeit fraud.
But Nothing is perfectly secure, even not the PIN-and-Chip based payment cards. All anti-cloning theories were already proven wrong, when a group of researchers found a way to hack the Credit and Debit cards based on the latest Chip-and-Pin technology.
Back in 2012, we reported about a research paper entitled “Chip and Skim: cloning EMV cards with the pre-play attack” published (old paper) by team of researchers from the University of Cambridge, UK, who demonstrated that Chip and PIN payment card systems are also vulnerable to Card Cloning.
The same team of researchers presented their EVM related research last Monday at the 2014 IEEE Symposium on Security and Privacy in San Jose, California. But this time they include one more critical vulnerability to the research paper (new modified research paper).
The Group includes Mike Bond, Omar Choudary, Steven J. Murdoch, Sergei Skorobogatov and Ross Anderson from the Computer Science Department. In Total, they presented two critical vulnerabilities in the "Chip-and-PIN" smart card payment system that makes EVM vulnerable to “pre-play” attack.
PREDICTING SO-CALLED 'UNPREDICTABLE NUMBERS'
EMV devices generate the so-called "unpredictable numbers" (UNs) for every transaction, but the researchers claimed that automated teller machines (ATMs) and point-of-sale (POS) terminals fail to properly generate random numbers that are required by the EMV protocol to securely authenticate transaction requests.
Researchers claimed to have found the computation patterns that would allow them to predict the randomly generated numbers. ‘EMV implementers have merely used counters, timestamps or home-grown algorithms to supply this nonce.’
The vulnerability could be exploited by the cybercriminals to clone the credit and debit cards in such a manner that even bank procedures won’t differentiate between the legitimate and fraud transactions.
NO PIN REQUIRED
They also demonstrated the Proof-of-Concept of another critical vulnerability, known as ‘no PIN’, which lets criminals use stolen chip and PIN cards without knowing the PIN.
Using a Malware or by performing a man-in-the-middle attack on the communications between a pin terminal and a customer's card allows the hacker to read off sufficient information to create a cloned card.
> “The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it’s doing a chip-and-signature transaction while the terminal thinks it’s chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists’ cards. The transactions went through fine and the receipts say ‘Verified by PIN’.” the researcher explained.
CRIMINALS ALREADY USING THIS EXPLOIT
The worst fact about the vulnerability is that, the trick is already known to cyber criminals and fraudsters from past many months and currently they are even equipped with crime-ware hardwares those allow them to clone Chin-and-PIN based cards easily.
The Chip-and-PIN system has a 700-odd page manual, but the researchers says it has so many security holes in it, the whole thing should be re-written.
The adoption of EVM payment system is in the response to the massive data breach in one of the U.S largest retailers 'Target', marked the largest card heists in the U.S. history in which financial credentials of more than 110 million customers were compromised.
The data heist in various US retailers have forced them to take some major steps towards more secure transactions and they move on to the new Chip-and-Pin technology. However, Chip-and-Pin payment system is considered to be a safer than the "card swipe" payment system, but that doesn’t mean it is fully protected. Cyber Criminals are just behind you every time to fetch your money, so be alert.