The research team - Mike Bond, Omar Choudary, Steven J Murdoch, Sergei Skorobogatov and Ross Anderson – went public on the problems at the 2014 IEEE Symposium on Security and Privacy in San Jose California on Monday.
In a paper titled ‘Chip and Skim: Cloning EMV Cards with the Pre-Play Attack', they say flaws in the way the EMV chip-and-pin standard is implemented in widely-used ATMs from some of the largest manufacturers means attackers can effectively electronically clone the victim's payment card and make purchases in their name.
The weak way in which the devices generate the random code numbers required to make each transaction secure mean the supposedly unpredictable numbers can be predicted.
Such an attack is invisible to the banks, say the researchers, which could explain why some victims are refused refunds and falsely accused of being mistaken or complicit in the fraud “by banks which claim that EMV cards cannot be cloned”.
The Cambridge team have also found a second design flaw in the EMV specification that allows attackers to use ‘man-in-the middle' malware in an ATM or POS terminal to intercept the customer's random number and replace it with a number known to the fraudster.
In a 19 May blog on the problem, the researchers say they have seen both attacks used “in the wild”. The blog confirms: “Our paper shows that chip and pin, as currently implemented, still has serious vulnerabilities, which might leave customers at risk of fraud.”
The researchers point out that the standard, intended to protect the world's 1.62 billion payment cards, is widely used in Europe and much of Asia, and is now being introduced into the US in the wake of the Target and other retail hacks that led to tens of millions of card details being stolen.
Despite that, they say: “Almost two years after our disclosure of the protocol flaw, nothing appears to have been done. The world's fleet of EMV terminals remain vulnerable to attacks involving either terminal malware or man-in-the-middle manipulation of communications.”
They add: “We are now publishing the results of our research so that customers whose claims for refunds have been wrongly denied have the evidence to pursue them, and so that the crypto, security and bank regulation communities can learn the lessons.”
They also say bank regulators are starting to respond to their warnings: “It is welcome that the US Federal Reserve is now paying attention, and time for European regulators to follow suit.”
Payment card security specialist Dr Guy Bunker, a senior vice president with data loss prevention product vendor Clearswift, has backed the researchers' call for more action from the banks.
He told SCMagazineUK.com via email: “It's critical that the security flaw found with EMV payments is made clear to cyber security professionals, consumers and banks. If banks are under the misconception that incidences of fraud are ‘impossible' due to clone-proof EMV cards, then both the bank and the consumer are at risk.”
Bunker added: “It's crucial that the extent of this flaw and the extent of information loss is analysed in depth to create a robust policy and the right technology to mitigate further risk. The fight against cyber-criminals is not a battle, it's a war – and as time goes on new vulnerabilities will be found and then exploited; organisations cannot afford to let down their guard, or put their heads in the sand.”
Graeme Batsman, security director at independent UK-based IT security investigations company EncSec, said that – as with the Heartbleed bug – the time lag between banks and manufacturers learning of the problems and getting round to fixing their devices means customers are at risk.
He told SC via email: “Similar to Heartbleed, the flaws have been around for years and the good guys may not be the first ones to find them. Still, to this day, a sizable percentage of OpenSSL implementations are still flawed. Chip and pin will be the same, a number would have been replaced or patched and a number will still remain flawed.”
In their paper, the researchers say “the shocking fact that many ATMs and point-of-sale terminals have seriously defective random number generators” appears to have been ignored by the banks, “perhaps reasoning that it is difficult to scale up an attack that involves access to specific physical cards and also the installation of malware or wiretaps on specific terminals”.
But they say: “We disagree. The Target compromise shows that criminals can deploy malware on merchant terminals widely and exploit it to earn serious money. The move to terminals based on mobile phones may expose this flaw to industrial-scale exploitation by malware that can be spread through the mobile phone population much more easily than through the terminal fleet.”