The other day I came across this interesting article about cloning EMV cards it makes a number of pretty bold claims including the following:
I differentiated pages instead using the EMV Unpredictable Number field – a 32 bit field that’s supposed to be unique to each transaction. I soon got muddled up… it turned out that the unpredictable numbers… well… weren’t. Each shared 17 bits in common and the remaining 15 looked at first glance like a counter
Well as I said an interesting read, and I hate to say it but I still sit on the side of the “don’t believe their claims”. There are quite a few statements in the article that don’t quite add up and there’s an awful lot of controlled environment aspects which wouldn’t happen in the real world.
Of course there is a perfectly viable ‘weakness’ here in the generation of an Unpredictable Number however Mike is trying too hard to shoehorn that weakness into a scenario that couldn’t happen. Here (in my opinion) are the reasons that would stop this from happening in the real world:
Ultimately, the weakness they talk about is specific to the ATM and not the chip itself. There are more than enough measures within the chip and the authorisation system (backed up by fraud systems) to spot and prevent such an attack should it be viable, which I don’t believe it is.
The article to me is yet another scare story only explaining half the story and giving it a headline that will immediately cause damage to the payments industry and the bank’s reputations and in particular raise unnecessary questions about the reasons behind implementing Chip & PIN. Similar to the other stories of cloned cards with headlines such as CHIP CLONING, only to read past the headline and find out it is devices implemented within terminals listening for a PIN that is entered by a cardholder, nothing to do with chips or cloning. The experts can smile at the ridiculous headline claims but the real problem is that the non-experts simply believe what the headline reads and that’s their minds made up.
One final point I always use, is “where is the fraudsters business case to perform all this?” Sounds silly to think that fraudsters would even consider a business case but they do without realising. In other words, they will take the shortest, cheapest, and least risky route to committing fraud, and for as long as their is magstripes on a card why would they bother with chip attacks?
If I were a bank I wouldn’t be scared just yet.