Study Suggests EMV Cards Not So Secure
By Ally Orlando, contributing writer
EMV skeptics would argue that, today, mobile solutions and sophisticated cards including biometric elements are available that could provide more advanced protection — matching the sophistication of today’s cyber attacks.
As it turns out, smart chips in EMV cards may not be as secure as we thought, according to research from the University of Cambridge. The institution found two issues with the chips that could make them vulnerable to security attacks.
Specifically, the chips could be subject to “pre-play” attacks or protocol failure.
A pre-play attack is “indistinguishable from card cloning from the standpoint of the logs available to the card-issuing bank, and can be carried out, even if it is impossible to clone a card physically,” the study notes, adding that flaws were found in ATMs from major manufacturers.
In protocol failures, when capturing an authentic code from the card, cybercriminals can replace the number the terminal generates with one they used earlier. Researchers say this variant of the pre-play attack can be caused by malware in ATM or POS terminals or a middle man between the terminal and the acquirer.
The research reports the center of these security flaws to be the “nonce,” which is the unpredictable 32-bit number used in EMV ATM and POS transactions signifying that they are fresh and cannot be reused by cybercriminals. To supply the nonce, the study finds that EMV implementers have used simple counters, timestamps, or homegrown algorithms.
“We found flaws in widely-used ATMs from the largest manufacturers,” the report states. “We can now explain at least some of the increasing number of frauds in which victims are refused refunds by banks which claim that EMV cards cannot be cloned and that a customer involved in a dispute must therefore be mistaken or complicit.”
“More than a year after our initial responsible disclosure of these flaws to the banks, action has only been taken to mitigate the first of them, while we have seen a likely case of the second in the wild, and the spread of ATM and POS malware is making it ever more of a threat,” the report says.