Chip & PIN relay attacks

Saar Drimer and myself have shown that the Chip & PIN system, used for card payments in the UK, is vulnerable to a new kind of fraud. By “relaying” information from a genuine card, a Chip & PIN terminal in another shop, can be made to accept a counterfeit card. We previously discussed this possibility in “Chip & Spin” but it was not until now that we implemented and tested the attack.

A fraudster sets up a fake terminal in a busy shop or restaurant. When a genuine customer inserts their card into this terminal, the fraudster’s accomplice, in another shop, inserts their counterfeit card into the merchant’s terminal. The fake terminal reads details from the genuine card, and relays them to the counterfeit card, so that it will be accepted. The PIN is recorded by the fake terminal and sent to the accomplice for them to enter, and they can then walk off with the goods. To the victim, everything was normal, but when their statement arrives, they will find that they have been defrauded.

Equipment used in relay attack

From the banks’ perspective, there will be nothing unusual about this transaction. To them, it will seem as if the real card was used, with a chip and along with the correct PIN. Banks have previously claimed that if a fraudulent Chip & PIN transaction was placed, then the customer must have been negligent in protecting their card and PIN, and so must be liable. This work shows that despite customers taking all due care in using their card, they can still be the victim of fraud.

For more information, we have a summary of the technique and FAQ. This attack will be featured on Watchdog, tonight (6 February) at 19:00 GMT on BBC One. The programme will show how we successfully sent details between two shops in the same street, but it should work equally well, via mobile phone, to the other side of the world.

It is unlikely that criminals are currently using techniques such as this, as there are less sophisticated attacks which Chip & PIN remains vulnerable to. However, as security is improved, the relay attack may become a significant source of fraud. Therefore, it is important that defences against this attack are deployed sooner rather than later. We discuss defences in our draft academic paper, submitted for review at a peer reviewed conference.

Update (2007-01-10): The segment of Watchdog featuring our contribution has been posted to YouTube.

13 thoughts on “Chip & PIN relay attacks

  1. Very well done, folks.

    Interestingly, the fundamental flaw (the lack of a card holder trusted / trustable display of the transaction details) is also one of the main (technical as opposed to economic) reasons why roll-out of cryptographically strong authentication for online banking is taking so long in the UK.

    In the online banking case, the challenge (from bank to customer browser) needs to be a human parsable subset of the transaction details, containing enough information to validate both value and the 2nd party, as well as enough random data to prevent protocol level attacks. This is actually quite hard to do in a consumer-usable manner, especially given the restrictions around disability discrimination issues.

    Looking forward to the programme.

    S-E

  2. The solution: Limit the use of the PIN to high value transactions. EMV already has this option, the banks have only to decide to use it.

    Any use of the PIN entails a risk of exposure, by various means – those described, shoulder surfing, hidden cameras or whatever. This risk, multiplied by the average damage of a revealed PIN, is indicative of the limit below which the use of the PIN is economically unjustified.

  3. I have long complained that the ‘swipe’ C&P tills as used Marks&Spencer and Tesco among others, present a security risk, in that the customer’s card is swiped on one terminal next to the screen (and hence the magstripe can be read) while the actual PIN is entered on the small numeric terminal.

    This then potentially allows the shop to have read the card magstripe (cloneable and useable in an ATM) and the PIN from the keypad.

    The Chip and PIN initiative should have emphasised that the card reader and PIN entry *must be on the same physical device* . These composite tills undermine customer safeguards.

    When are bank ATMs going to go all-chipcard ?!

  4. Guys,

    Great and you don’t seem to be nearly ugly enough to keep in infosec as a profession (ask Richard :).

    Just two questions, which I will understand if you don’t or can’t answer …

    1. How many takes?

    2. How many of those were due to the tech and how many to the luvvies?

    S-E

  5. How does the challenge/response get from the hacked card to Carol’s laptop? Are wireless & programmable smart cards readily available, or is there a wire up her sleeve (a bit obvious I would have thought?)

  6. @Surreptitious Evil

    How many takes?

    We were on location for about 7 hours on Friday, but they didn’t get all the shots they needed so came back on Monday for about 5 hours. The problem was that they only had one camera, so on Friday, they had the real terminal on the same table as the fake one. This meant they could film it all in one shot, but after talking to their editorial policy folks, they realised they weren’t able to show the restaurant scenario.

    So on Monday they came back, but by that time Saar had left for Germany so I had to rope Robert into letting me borrow his laptop and help me set everything up. This was especially problematic since Saar built pretty much all of the hardware, and I didn’t have much experience in using it. However, we successfully performed the relay attack, through two shops, so they could use the footage of the restaurant.

    How many of those were due to the tech and how many to the luvvies?

    Actually our kit successfully performed the transaction first time, on both occasions, which is a credit to Saar’s engineering. It took a bit of tweaking for it to pass the self test, but once it did, the real transaction went through smoothly.

    What took most of the time was the working through the explanation of what happened, as each shot had to be done several different times, for each of several different camera angles. The street outside the shop is pretty busy, so it was also hard to find a time when there were no people doing anything too silly in the shot (the crew took a while to get rid of a drunk who was fascinated with the proceedings).

  7. @Rich

    How does the challenge/response get from the hacked card to Carol’s laptop?

    We used a wire (see the photo), but it would be plausible for an attacker to create a wireless version. As we only wanted a proof of concept, doing it wired was adequate. Still, in the run up to the programme, we tried holding onto our card during normal transactions, as if there was a wire, and nobody was bothered.

  8. Guys, you do excellent work and the piece for Watchdog was a great public service.

    I have visited your site many times since retiring (early) from a bank. I’m sure you can check my visits from this comment. I might be grey and balding but I’ve stayed current. 12 years with a PC and 9 of those with an online connection have made me aware of the nasties “computers” bring with them. Sadly, Government and commerce only see what they want to and need to.

    The world is changing. Banking is changing.

    Challenging business values is not a popular concept in sales cultures. My closing 18 months or so involved me in more contact with electronic fraud and identity theft than the entire preceeding 32 years.

    Your knowledge, expertise and integrity is to be highly commended.

  9. The Royal Bank of Scotland had a good system for all it’s cards, including visa, for a few years. Your photo was on the back and this, as well as your signature, was excellent proof of your ownership. However, many shop staff did not seem aware of this at all and I found myself training them to check the back of the card for the photo as well as the signature. Sometimes they didn’t even check the back of the card for the signature. If all banks had had the photo system then shop assistants would have remembered to check.

    My concern now is the extra 3 digits on the back of the card. Why are these of any use? If a criminal has the card then they will have the three digits as well!

    Chip and pin is the worst system for so-called security I have ever come across. Who invented it? Margaret

  10. I’ve been using my ‘Thumbprint’ in lieu of my signature with my Chip & Signature Cards for over a year now. I’ve used this method of cardholder verification at over 120 retailers thoroughout the country and once abroad. Retailers have welcomed this, saying it’s safer than using a PIN. It is easier to visually check my print against that on the cards signature strip, than it would be a written signature. In a face to face scenario you can’t forge, forget, loose or compromise your print. This method acts as a deterrent, while unlike a PIN if there ever was a disputed transaction on my account, not only could I prove it wasn’t my print, but the offenders print can be given to the law enforcement agencies.

    The system can easily be adapted for deterring theft when purchasing goods via the Internet, mail order, fax or by phone.

    Together we can beat fraud, well we certainly can reduce it.

Leave a Reply

Your email address will not be published. Required fields are marked *