EMV has been cracked, credit card cloning begins OMG – oh hang on maybe not!

EMV has been cracked, credit card cloning begins OMG – oh hang on maybe not!

The other day I came across this interesting article about cloning EMV cards it makes a number of pretty bold claims including the following:

I differentiated pages instead using the EMV Unpredictable Number field – a 32 bit field that’s supposed to be unique to each transaction. I soon got muddled up… it turned out that the unpredictable numbers… well… weren’t. Each shared 17 bits in common and the remaining 15 looked at first glance like a counter

Well as I said an interesting read, and I hate to say it but I still sit on the side of the “don’t believe their claims”.  There are quite a few statements in the article that don’t quite add up and there’s an awful lot of controlled environment aspects which wouldn’t happen in the real world.

Of course there is a perfectly viable ‘weakness’ here in the generation of an Unpredictable Number however Mike is trying too hard to shoehorn that weakness into a scenario that couldn’t happen.  Here (in my opinion) are the reasons that would stop this from happening in the real world:

  • no one should have access to the Master Cryptogram key (only the card producers and the bank have this), their report states for purposes of exploiting the protocol they used known ARQC keys!  This just doesn’t happen.
  • They ignore the fact that every ARQC contains transaction data, so they would have to be able to configure the ATM to replicate all previous transaction data i.e. doing this for date and time and amounts alone would be difficult!
  • They also ignore the ATC (Application Transaction Counter) which sole purpose is to ensure each transaction has a unique and sequential counter, every bank should use this in its authorisation process and indeed its fraud systems.
  • The ATM is in a controlled environment, and indeed manipulated into the supposed “predictable” unpredictable number sequence!  I find this part mind-boggling.

Ultimately, the weakness they talk about is specific to the ATM and not the chip itself.  There are more than enough measures within the chip and the authorisation system (backed up by fraud systems) to spot and prevent such an attack should it be viable, which I don’t believe it is.

The article to me is yet another scare story only explaining half the story and giving it a headline that will immediately cause damage to the payments industry and the bank’s reputations and in particular raise unnecessary questions about the reasons behind implementing Chip & PIN.  Similar to the other stories of cloned cards with headlines such as CHIP CLONING, only to read past the headline and find out it is devices implemented within terminals listening for a PIN that is entered by a cardholder, nothing to do with chips or cloning.  The experts can smile at the ridiculous headline claims but the real problem is that the non-experts simply believe what the headline reads and that’s their minds made up.

One final point I always use, is “where is the fraudsters business case to perform all this?”  Sounds silly to think that fraudsters would even consider a business case but they do without realising.  In other words, they will take the shortest, cheapest, and least risky route to committing fraud, and for as long as their is magstripes on a card why would they bother with chip attacks?

If I were a bank I wouldn’t be scared just yet.

3 Comments

  • By Dean Nicholls Reply

    Hi Jon

    As a follower of the Cambridge research teams investigations and as someone who has built my own EMV hardware for accepting EMV transactions through smartphones I found this a very interesting post. I found it fascinating that you appear to take the common industry line that anyone seeking to publish potential flaws in EMV is only interested in damaging the industry\’s reputation, rather than the line that the standard may actually have issues.

    In this particular case I do agree with your assertion that this is not a Standards problem, but more of an implementation problem. Although the Standard has made it difficult with a very low bar for what is random. I tend to disagree with your bullet pointed summary as to reasons why this attack can\’t happen, which seems to have several inaccuracies or misunderstandings in it.

    With respect to the UDKs (MCK), the report stated these were used to *prove* the attack was possible, not that they were *required* for the attack.

    I\’m not too sure what your second point is indicating. The attack does not involve ATM configuration, but rather skimmed transactions that are replayed, potentially at a different ATM, as long as it is in the same country on the same date and using the same amount as the skimmed transaction.

    The ATC is helpful in helping to make the attack more awkward, but is not in itself enough to prevent it for all situations. This is discussed in the paper on p. 15.

    I\’m not too sure why an ATM being used for research in a controlled environment is mind boggling. The whole point is to get the ATM to give up its secrets in terms of UN repeatability so that the attack card concept can be designed in the lab and then (theoretically) used in the real world against similar model devices.

    Fraud systems are not that helpful in this attack as the pre-play transactions in theory are indistinguishable from real transactions. So they will be as helpful as they would be against normal transactions, unless the fraudster is clumsy.

    It is probably true that this attack is unlikely to get traction in the wild, especially given that the fix is simply to use a hardware random number generator – something that any secure microcontroller such as the Maxim1850Q supplies. If the the device is using a PRNG, then there are software options out there that are reasonably effective. It\’s a pity that the ATM vendors seem to use the oldest junk out there and have an issue with both hardware and software quality.

    Your point about the business case is a good one. The simple fact is 99.9999% of fraudsters out there won\’t use an attack like this, especially while the industry continues to support magnetic stripe. Consider though a situation where this attack actually is perfected by the unscrupulous. What would happen next is UN tables for ATM models would be available on bit torrent. Attack cards would be designed which would be sold on the internet, and all of a sudden something that is very hard becomes commodity. Nearly all security attacks follow this process; look at the availability of virus kits. If the fraudsters crack this, they won\’t publish their results for us to view.

    The real problem is that the industry considers EMV invincible and that any fraud *must* be the customers fault. EMV is a very good standard, but it is not invulnerable and already has had proven flaws, admittedly not large ones that have been quickly rectified. I agree with you that the Banks have no need to be scared yet, but unfortunately the same is not necessarily true for their customers.

    PS: I hope I don\’t come across as too critical. I really enjoyed the post and offering a different viewpoint. I would strongly recommend anyone who is interested in the robustness of the EMV standard take time to read all of the Research Groups papers. These guys are not Cnet or El Reg.

  • By Jon Reply

    Hi Dean,

    Thanks for your challenge, and thoughts on this. Always good to get another view, and is really the point of having a blog is to get input. I would like to say please don’t get me wrong, I’m not against the clever guys that investigate weaknesses or holes in standards, if people didn’t do that we couldn’t improve on them. I admire the lengths they go to and the techie know-how. Perhaps my main point doesn’t come across too well; its more the news grabbing headline to which the non-techies out there (the media) will then use and exaggerate upon because they take it as read. Here the weakness is within the ATMs not the Chip. It does damage the the technology reputation because most of the time “joe public” don’t want to know the whole story only point a finger. I do agree that, should such an attack be possible the industry should be prepared to investigate further and not use a blanket “chip & PIN transaction = genuine transaction” and penalise the genuine cardholder, because the day the system does crumble I’d hope they were one step ahead because they’d listened to the early warning signs. I still air on the side of caution, a controlled environment is nothing like the wild.

    With regards to this particular weakness, perhaps the standards should be more specific around the UN, and legacy ATM’s replaced, or perhaps even the certification of these ATMs improved to ensure such a weakness doesn’t exist as it will be abused if the day the business case becomes viable. I still believe there is a definite place for Fraud systems and the use of them to be a key player in spotting and protecting us from these attacks as much as the transaction would look normal the patterns and tell-tales are not – this is the strength of a good fraud system (and its implementation).

    In danger of starting of a whole different thread can I ask the question, “is there real gain in publishing such in depth reports in the public domain?” – its great to see it but is it not handing the answers to the fraudsters on a plate, or at least giving them huge head-start? Would it not be better for an industry forum, where those invalid in the industry and the banks themselves get to discuss, see with their own eyes and most importantly recognise or disprove and ultimately improve upon existing standards. Perhaps its due to the lack of such specific forums that these are published as a “sit up and listen” tactic, I don’t know the history behind the why’s – just keen to understand. I guess in some ways I’m as much at fault in spreading the word/article even wider.

  • By Dean Nicholls Reply

    Hi Jon

    I think it can be said that our fundamental viewpoints are really not dissimilar, except in maybe in one area I will touch on later. As a central thesis I certainly agree that the head line grabbing is an issue, although to be fair the main articles headline is not particularly sensationalist – certainly not in El Reg style anyway. It’s very easy for hit seekers to bash Banks and get views. This is after all their business and how they make money, any decent journalism that happens is a by product. Having said that, the reference article is research from the source, not sensationalist journalism. This is unlike the Cnet article linked later.

    I suspect our main area of disagreement if we were ever to discuss this over a beer would be that of disclosure. As someone who has a foot in both the industry and academic camps, I fall on the side of what our security friends call “responsible disclosure”. That is something the Cambridge team certainly subscribe to, with an example being when Choudry released his Smart Card Detective (go Google it, it is a great paper and piece of hardware), he did not release the code that allowed the device to do apparently PIN authorised transactions without PIN verification. Having said that, it was very easy for me to code it up. The industry’s response was an attempt to have the research buried. Cambridge’s response to their completely unreasonable demands was an essay in how to deliver a smackdown with the velvet glove wrapping the iron fist.

    My own view is that responsible disclosure is the only way forward. Security through obscurity and keeping of secrets has been shown to be a failure time and time again. Unfortunately the fraudsters do not subscribe to that. Anyhow, as you said before, that’s a completely different issue and one that I will save for another day.

    Cheers
    Dean.

Leave a Comment

Your email address will not be published.