Researchers Discover Critical Flaws in the Chip and PIN System
Cambridge University researchers have unearthed a pair of critical flaws in EMV smart card technology that can be exploited to generate cloned cards that are undetectable by normal bank procedures. The researchers found that some ATMs create poor random numbers that are easily predictable and could be leveraged to compute codes to authorize cash withdrawals. Such a pre-play attack would be “indistinguishable from card cloning from the standpoint of the logs available to the card-issuing bank, and can be conducted even if it is impossible to clone a card physically,” the researchers warn. They note that this type of attack would complicate card owners’ ability to prove they were not responsible for or involved in the fraud, and should be refunded. The second flaw the researchers found is a protocol failure that would permit malware in an ATM or point-of-sale terminal to execute a pre-play attack simply by replacing the randomly produced number with one chosen by the attacker. These flaws were discovered more than two years ago, but only the first flaw has been resolved so far.
[divide]From “Researchers Discover Critical Flaws in the Chip and PIN System”
Help Net Security (05/19/14) Zorz, Zeljka