Community

Join the Community

22,414
Expert opinions
44,421
Total members
419
New members (last 30 days)
158
New opinions (last 30 days)
28,831
Total comments
Join Sign in

Chip and Skim: cloning EMV cards with the pre-play attack

  0 3 comments
Steven Murdoch
Steven Murdoch
Royal Society University Research Fellow
University College London
Location
London
Followers
1
Opinions
9
Unfollow

The EMV (Chip & PIN) protocol requires ATMs and point-of-sale terminals to generate a random number. If this number (known in EMV terminology as the "unpredictable number") isn't random, Chip & PIN is left vulnerable to the "pre-play" attack, which is indistinguishable from card cloning to the bank which issued the card. In the course of investigating a fraudulent transaction, for which the bank had refused to reimburse the victim, we discovered that ATM random number generators, across some of the biggest brands, have serious flaws.

By modifying a Chip & PIN card, and by reverse engineering ATM firmware, we analysed random number generators, finding a variety of different types of failures. The results of the survey can be found in our blog post and academic paper, announced at CHES 2012 today.

See also coverage in the FT and Information Age.

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

12146
 

Share

 
 
 
 
 

Channels

/security /payments
 

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

Join group

217 opinions 46 members

Comments: (4)

A Finextra member 

Wow.  Waiting for the defence of EMV.  As you say - has far reaching legal implications for non-repudiation.   One thing - you still have to steal the card/chip, yes?  You can only (possibly) clone a valid transaction, not the chip itself?

Steven Murdoch

Steven Murdoch Royal Society University Research Fellow at University College London

Author

You don't have to steal the card, just have temporary access to it. This could be achieved by asking the customer to use the card in a tampered Chip and PIN terminal. The cryptograms could be collected either instead of the legitimate transaction, or in addition to it. Then the cryptograms could be pre-played to a vulnerable ATM or point of sale terminal.

The attack could alternatively be done by stealing the card. For example, someone could take the card, collect cryptograms, then return it. In some situations this might work better, because the customer will take longer to notice the fraud and cancel the card.

If the criminal doesn't plan to return the card, then he might as well just use the genuine one rather than a pre-play clone.

A Finextra member 

That Cambridge group are great at penetration testing (and they keep their legal department busy too - their work upsets many players in the industry, but that's a separate can of worms...) Add Contactless EMV to that equation and the picture gets even more serious. As Square clearly explained (to Verione) - consumers cannot (and should not be asked to!) tell whether a POS terminal is secure. Hence, they will happily present their cards to any terminal that sits on the counter. Possible solution, at least for ATMs - UNs must be generated by the issuers direct. The "rails" are already in place for that, in most cases (amending EMV protocol is a totally different story, though).

Nick Collin

Nick Collin Director at Collin Consulting Ltd

Let's put this in perspective.  Number of successful EMV chip transactions worldwide - about 150 billion per year.  Number of proven instances of this type of pre-play attack - zero.  Realistic liklihood of this type of attack - close to zero.  Reduction in card fraud due to EMV chip - about £1 billion per year in the UK alone.  The positives somewhat outweigh the negatives I think!  But yes, it's a theoretical implementation weakness which can be easily fixed, so a useful addition to EMV deployment best practice.

Steven Murdoch
Steven Murdoch
Royal Society University Research Fellow
University College London
Member since
01 Jul 2009
Location
London
Followers
1
Following
0
Opinions
9
Unfollow

UK Cards Association attempt to supress Cambridge research

Reliability of Chip and PIN evidence in banking disputes

Chip and PIN is broken

Verified by Visa and MasterCard SecureCode

Encoding integers in the EMV protocol

See all Opinions from Steven

More expert opinions

Amey Prabhu

Amey Prabhu Solution Architect & Head of Trade Finance Product at Veefin

Digital Trade - A New Frontier For Financial Institutions and Product Vendors

Carlo R.W. De Meijer

Carlo R.W. De Meijer Owner and Economist at MIFSA

Blockchain and Crypto trends 2025: Further integration with traditional finance

Ritesh Jain

Ritesh Jain Founder at Infynit / Former COO HSBC

DeepSeek-R1: Redefining AI Innovation and Transforming Global Dynamics

Erica Andersen

Erica Andersen Marketing at smartR AI

Are SLMs the End of Traditional ERP and CRM?

1

See all opinions

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Join the Community

22,414
Expert opinions
44,421
Total members
419
New members (last 30 days)
158
New opinions (last 30 days)
28,831
Total comments
Join Sign in

Trending

Ritesh Jain

Ritesh Jain Founder at Infynit / Former COO HSBC

DeepSeek-R1: Redefining AI Innovation and Transforming Global Dynamics

Ritesh Jain

Ritesh Jain Founder at Infynit / Former COO HSBC

Customer Experience is Not Part of the Game, It’s the Game!

Ritesh Jain

Ritesh Jain Founder at Infynit / Former COO HSBC

HSBC’s Zing Shutdown: What Traditional Banks Can Learn from FinTech Disruption

Perry Carpenter

Perry Carpenter Chief Human Risk Management Strategist at KnowBe4

5 Cyberattacks that Rocked Financial Services in 2024

Now Hiring

All companies

Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.

Please read our Privacy Policy.

Accept