Chip & PIN relay attacks

February 6th, 2007 at 09:36 UTC by Steven J. Murdoch

Saar Drimer and myself have shown that the Chip & PIN system, used for card payments in the UK, is vulnerable to a new kind of fraud. By “relaying” information from a genuine card, a Chip & PIN terminal in another shop, can be made to accept a counterfeit card. We previously discussed this possibility in “Chip & Spin” but it was not until now that we implemented and tested the attack.

A fraudster sets up a fake terminal in a busy shop or restaurant. When a genuine customer inserts their card into this terminal, the fraudster’s accomplice, in another shop, inserts their counterfeit card into the merchant’s terminal. The fake terminal reads details from the genuine card, and relays them to the counterfeit card, so that it will be accepted. The PIN is recorded by the fake terminal and sent to the accomplice for them to enter, and they can then walk off with the goods. To the victim, everything was normal, but when their statement arrives, they will find that they have been defrauded.

Equipment used in relay attack

From the banks’ perspective, there will be nothing unusual about this transaction. To them, it will seem as if the real card was used, with a chip and along with the correct PIN. Banks have previously claimed that if a fraudulent Chip & PIN transaction was placed, then the customer must have been negligent in protecting their card and PIN, and so must be liable. This work shows that despite customers taking all due care in using their card, they can still be the victim of fraud.

For more information, we have a summary of the technique and FAQ. This attack will be featured on Watchdog, tonight (6 February) at 19:00 GMT on BBC One. The programme will show how we successfully sent details between two shops in the same street, but it should work equally well, via mobile phone, to the other side of the world.

It is unlikely that criminals are currently using techniques such as this, as there are less sophisticated attacks which Chip & PIN remains vulnerable to. However, as security is improved, the relay attack may become a significant source of fraud. Therefore, it is important that defences against this attack are deployed sooner rather than later. We discuss defences in our draft academic paper, submitted for review at a peer reviewed conference.

Update (2007-01-10): The segment of Watchdog featuring our contribution has been posted to YouTube.

Entry filed under: Banking security, Legal issues, News coverage, Security economics

13 comments Add your own

  • 1. Surreptitious Evil  |  February 6th, 2007 at 12:15 UTC

    Very well done, folks.

    Interestingly, the fundamental flaw (the lack of a card holder trusted / trustable display of the transaction details) is also one of the main (technical as opposed to economic) reasons why roll-out of cryptographically strong authentication for online banking is taking so long in the UK.

    In the online banking case, the challenge (from bank to customer browser) needs to be a human parsable subset of the transaction details, containing enough information to validate both value and the 2nd party, as well as enough random data to prevent protocol level attacks. This is actually quite hard to do in a consumer-usable manner, especially given the restrictions around disability discrimination issues.

    Looking forward to the programme.

    S-E

  • 2. JR  |  February 6th, 2007 at 16:20 UTC

    The solution: Limit the use of the PIN to high value transactions. EMV already has this option, the banks have only to decide to use it.

    Any use of the PIN entails a risk of exposure, by various means – those described, shoulder surfing, hidden cameras or whatever. This risk, multiplied by the average damage of a revealed PIN, is indicative of the limit below which the use of the PIN is economically unjustified.

  • 3. .$author.  |  February 6th, 2007 at 16:26 UTC

    [...] Blue Touchpaper has details of another attackon the supposedly secure Chip & Pin [...]

  • 4. Mike Whittaker  |  February 6th, 2007 at 19:06 UTC

    I have long complained that the ’swipe’ C&P tills as used Marks&Spencer and Tesco among others, present a security risk, in that the customer’s card is swiped on one terminal next to the screen (and hence the magstripe can be read) while the actual PIN is entered on the small numeric terminal.

    This then potentially allows the shop to have read the card magstripe (cloneable and useable in an ATM) and the PIN from the keypad.

    The Chip and PIN initiative should have emphasised that the card reader and PIN entry *must be on the same physical device* . These composite tills undermine customer safeguards.

    When are bank ATMs going to go all-chipcard ?!

  • 5. Surreptitious Evil  |  February 6th, 2007 at 20:23 UTC

    Guys,

    Great and you don’t seem to be nearly ugly enough to keep in infosec as a profession (ask Richard :) .

    Just two questions, which I will understand if you don’t or can’t answer …

    1. How many takes?

    2. How many of those were due to the tech and how many to the luvvies?

    S-E

  • 6. Rich  |  February 6th, 2007 at 20:50 UTC

    How does the challenge/response get from the hacked card to Carol’s laptop? Are wireless & programmable smart cards readily available, or is there a wire up her sleeve (a bit obvious I would have thought?)

  • 7. Steven J. Murdoch  |  February 6th, 2007 at 21:28 UTC

    @Surreptitious Evil

    How many takes?

    We were on location for about 7 hours on Friday, but they didn’t get all the shots they needed so came back on Monday for about 5 hours. The problem was that they only had one camera, so on Friday, they had the real terminal on the same table as the fake one. This meant they could film it all in one shot, but after talking to their editorial policy folks, they realised they weren’t able to show the restaurant scenario.

    So on Monday they came back, but by that time Saar had left for Germany so I had to rope Robert into letting me borrow his laptop and help me set everything up. This was especially problematic since Saar built pretty much all of the hardware, and I didn’t have much experience in using it. However, we successfully performed the relay attack, through two shops, so they could use the footage of the restaurant.

    How many of those were due to the tech and how many to the luvvies?

    Actually our kit successfully performed the transaction first time, on both occasions, which is a credit to Saar’s engineering. It took a bit of tweaking for it to pass the self test, but once it did, the real transaction went through smoothly.

    What took most of the time was the working through the explanation of what happened, as each shot had to be done several different times, for each of several different camera angles. The street outside the shop is pretty busy, so it was also hard to find a time when there were no people doing anything too silly in the shot (the crew took a while to get rid of a drunk who was fascinated with the proceedings).

  • 8. Steven J. Murdoch  |  February 6th, 2007 at 21:34 UTC

    @Rich

    How does the challenge/response get from the hacked card to Carol’s laptop?

    We used a wire (see the photo), but it would be plausible for an attacker to create a wireless version. As we only wanted a proof of concept, doing it wired was adequate. Still, in the run up to the programme, we tried holding onto our card during normal transactions, as if there was a wire, and nobody was bothered.

  • 9. Tom Coyle  |  February 6th, 2007 at 23:37 UTC

    Guys, you do excellent work and the piece for Watchdog was a great public service.

    I have visited your site many times since retiring (early) from a bank. I’m sure you can check my visits from this comment. I might be grey and balding but I’ve stayed current. 12 years with a PC and 9 of those with an online connection have made me aware of the nasties “computers” bring with them. Sadly, Government and commerce only see what they want to and need to.

    The world is changing. Banking is changing.

    Challenging business values is not a popular concept in sales cultures. My closing 18 months or so involved me in more contact with electronic fraud and identity theft than the entire preceeding 32 years.

    Your knowledge, expertise and integrity is to be highly commended.

  • 10. .$author.  |  February 8th, 2007 at 18:26 UTC

    [...] the scenarios mentioned above, our demonstration for Watchdog showed how, even without cloning a card, a Chip & PIN terminal could be fooled into accepting a [...]

  • 11. .$author.  |  February 11th, 2007 at 21:04 UTC

    [...] good, and getting a PIN out of a banking smart card remains a very difficult task. Nevertheless, the latest paper of Cambridge’s research lab describes a nice attack on Chip & PIN. Their attack does [...]

  • 12. Maggie Brown  |  March 4th, 2007 at 10:06 UTC

    The Royal Bank of Scotland had a good system for all it’s cards, including visa, for a few years. Your photo was on the back and this, as well as your signature, was excellent proof of your ownership. However, many shop staff did not seem aware of this at all and I found myself training them to check the back of the card for the photo as well as the signature. Sometimes they didn’t even check the back of the card for the signature. If all banks had had the photo system then shop assistants would have remembered to check.

    My concern now is the extra 3 digits on the back of the card. Why are these of any use? If a criminal has the card then they will have the three digits as well!

    Chip and pin is the worst system for so-called security I have ever come across. Who invented it? Margaret

  • 13. James  |  March 20th, 2007 at 14:10 UTC

    I’ve been using my ‘Thumbprint’ in lieu of my signature with my Chip & Signature Cards for over a year now. I’ve used this method of cardholder verification at over 120 retailers thoroughout the country and once abroad. Retailers have welcomed this, saying it’s safer than using a PIN. It is easier to visually check my print against that on the cards signature strip, than it would be a written signature. In a face to face scenario you can’t forge, forget, loose or compromise your print. This method acts as a deterrent, while unlike a PIN if there ever was a disputed transaction on my account, not only could I prove it wasn’t my print, but the offenders print can be given to the law enforcement agencies.

    The system can easily be adapted for deterring theft when purchasing goods via the Internet, mail order, fax or by phone.

    Together we can beat fraud, well we certainly can reduce it.

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


Calendar

February 2007
M T W T F S S
« Jan   Mar »
 1234
567891011
12131415161718
19202122232425
262728