A blog on financial markets and their regulation
Predictable unpredictable numbers compromise Chip and PIN cards
October 13, 2012Posted by on
A group of researchers at the University of Cambridge have a paper describing serious security weaknesses in Chip and PIN or EMV cards (h/t Bruce Schneier). EMV or “Chip and PIN” which is the leading system for card payments world-wide contains a chip that executes an authentication protocol. This protocol requires point-of-sale (POS) terminals or ATMs to generate an unpredictable number for each transaction to ensure it is fresh. The ATM sends this unpredictable number to the card along with various transaction fields. The card responds with an authorization request cryptogram (ARQC), which is calculated over the supplied data. If properly implemented this ARQC allows the ATM or POS to verify that the card is alive, present, and engaged in the transaction.
The reality is very different. The Cambridge researchers discovered that some EMV implementers have merely used counters, timestamps or home-grown algorithms to supply the “unpredictable” number which is the heart and soul of the entire protocol. Moreover, the fault actually lies with the EMV designers themselves:
The first flaw is that the EMV protocol designers did not think through carefully enough what is required for it to be “unpredictable”. The specifications and conformance testing procedures simply require that four consecutive transactions performed by the terminal should have unique unpredictable numbers … Thus a rational implementer who does not have the time to think through the consequences will probably prefer to use a counter rather than a cryptographic random number generator (RNG); the latter would have a higher probability of failing conformance testing (because of the birthday paradox).
If the “unpredictable number” can actually be predicted, it is possible to perform all kinds of “pre-play” attacks. A crooked merchant can harvest an ARQC while having custody of the card in his POS termimal and than replay this at an ATM without the card being present and execute transactions there.
The researchers conclude:
Just as the world’s bank regulators were gullible in the years up to 2008 in accepting the banking industry’s assurances about its credit risk management, so also have regulators been credulous in accepting industry assurances about operational risk management.