Popular Chip and PIN bank cards are vulnerable to â€œpre-playâ€ attacks, a type of card cloning fraud which canâ€™t be detected by regular banking procedures, a new study by University of Cambridge researchers reveals.
It seems the EMV â€œChip and PINâ€ standard, widely-implemented for 1.62 billion payment cards, can be exploited to empty peopleâ€™s accounts. A cryptographic weakness allows the hacker to perform a man-in-the-middle attack and intercept the unique authentication code required by an ATM to complete a transaction. The 32-bit number can be easily predicted as half of the ATMs and merchant terminals analyzed generate them through counters or timestamps.
A second protocol flaw gives the attacker the opportunity to replace the otherwise random number with the intercepted code.
To carry out the attack, after gaining temporary access to the card, the attacker requests authentication codes corresponding to the so-called random number. He then intercepts a second terminalâ€™s communication with the bank and loads the known authentication code on to the cloned card to empty the victimâ€™s account.
Since the authentication codes on clone card match those the real card would have provided, the bank canâ€™t recognize the fraudulent transaction, the study says.
Cambridge researchers said they have proven the EMV system is not hacker-proof. â€œWe are now publishing the results of our research so that customers whose claims for refunds have been wrongly denied have the evidence to pursue them, and so that the crypto, security and bank regulation communities can learn the lessons,â€ they said.
During their experiment, the researchers found flaws in widely-used ATMs from most manufacturers.