Comments on: Chip and Skim: cloning EMV cards with the pre-play attack

By: JW

JW — Thu, 09 May 2013 11:10:43 +0000

Mike, I have a question, apologies if this is a silly one, but Ive read the Cambridge paper, and although it was on the verge of being out of my technical expertise, I think I understand the basics.

From what I gather, what is needed to replay the transaction is the following:
ARQC (a DES wrapper of: transaction counter, card details and the MAC)
MAC (a des wrapper of 4-byte TVR data, UN, amount, currency and time/date stamp)
This leaves us with a DES message of 16bit number, the symmetrical key-encrypted IAD, and the DES encrypted MAC.

If we can predict the UN, then we can retrieve the MAC. What is the significance of this, when we cannot access the IAD, or can the IAD encrypted block simply be sent to the acquirer, who will check it as if it came from a real card? The only unique piece of data, it seems to me, within an EMV transaction will be the internal transaction counter within the card and the timestamp. In theory, every other piece of information can be identical. Why, then, is predicting the UN the key to replaying a transaction?

By: JB

JB — Fri, 01 Feb 2013 13:22:57 +0000

Two months ago, there were cash withdrawals from ATM’s in the town where I live, Lausanne, Switzerland. This was done using my credit card and it was quite a large amount. The credit card is still in my possession and I did not make the withdrawals myself.

However, the bank claims the money was withdrawn with the chip on the card using the PIN code. They also claim it is impossible to copy and for that reason it must have been me.

The problem is that it was not me, nor did i ever give my PIN code to anyone. So how could this have happened? I have used my credit card in some shops in Lausanne the week before, could it have been copied?

Thanks for your help and comments!

By: Sue Smith

Sue Smith — Mon, 03 Dec 2012 00:01:57 +0000

My debit card and pin and been used fraudulently. I have my debit card in my possession and only use it at Bank and ATM. I just reported the fraudulent use of my card and was told as it’s chip and pin the user must have had physical possession. Just found this sie while trying to ascertain how this could happen when my card has been in my possession 24/7.

By: Ross Anderson

Ross Anderson — Tue, 09 Oct 2012 11:14:11 +0000

Coverage in China

By: Eliot Lear

Eliot Lear — Thu, 20 Sep 2012 20:12:24 +0000

Mike, as usual, fantastic work from you and your team. My concern is precisely the one you raise in your conclusion. In the case of the U.S credit card system, since banks pay for fraud they have a vested interest in stopping it. Merchant banks in the U.S. have some idea as to where fraud is being committed, because they can see it in the merchant sales patterns. Here, the onus is on the consumer, who has no access to the merchant sales pattern. What economic motivation does the bank have in this case to take action to fix the problem? Why would the merchant do anything?

By: EMV Academy

EMV Academy — Thu, 20 Sep 2012 17:49:11 +0000

We all know that no technology is absolutely secure – if enough effort, time and money spent, it can be compromised.
The report quoted was based on work done in a lab environment. More importantly, the report states that they used test cards with known card Master keys to generate the cryptogram. This is the flaw of the test. The card Master key cannot be extracted from the card – the cards have hardware and software in place to prevent tampering and will self-destruct if they are tampered with.

By: Mark Sitkowski

Mark Sitkowski — Wed, 19 Sep 2012 04:28:44 +0000

Dear me! All this fuss over something as simple as identity authentication…
What would be really good, would be some kind of telepathic password, which you could communicate to your bank, each time you needed to access your account online, and it would be really handy, if your mind could also transmit this password to the ATM.
Well, that’s obviously not going to happen so, how about a compromise, where you transmit to your bank, information about your telepathic password, which only your bank understands?
Yes, but the camera, and the malware, would record what you typed, and use it to get into your account. Okay, then, how about, if what you typed only worked once. Then, using the same keystrokes a second time would be useless. That would work, but how does the bank know that, what you typed the second time, represented the same telepathic password? Also, you certainly wouldn’t want to contact your bank every day, to get a new method of transmitting your telepathic password.
How about this, then? Each time you want to access your account, a popup shows you an alphabet, with a number under each letter, and you type the numbers, instead of the letters?
Okay, that’s obviously bad because the camera would pick up the numbers but, what if the numbers were all scrambled? That’s better, but the camera would still get you, and the malware would still send them back to the sociopath who, after a few months, would be able to guess your password, from the patterns of the numbers.
What about, if there were only two numbers and, what if there were two alphabets, in upper and lower case? Then your telepathic password would be represented by a selection from 52 letters, each letter identified by one of two random digits. If the pattern of the digits changed randomly, with each access, then your telepathic password of “gobbledeygook” would be “1000110011001” the first time but, the second time, it would be “1110010001101”.
Now we’re getting somewhere. The camera sees you entering a pattern of 1’s and 0’s, each of which could correspond to any one of 20 or 30 letters, the network snooper sees the numbers, but not the letters, and the malware sees both, but doesn’t know what they mean. Luckily, you took maths in college, and spend a lot of time in the casino, so you know how to calculate odds, and you can see they’re now in your favour, but you still want them to be better, because you work with classified documents, and really need to have tight security. What if you had two passwords, and added them together? What if you added or subtracted ‘1’ from every other letter What if…? You’re tempted to call this ‘Uncrackable Authentication’
Aha! I hear you cry. How do I get my telepathic password, in the first place? The malware is watching my browser and my email, and will pick up the keystrokes when I type it into any form I fill in. How am I going to enter my password? Well, it might ne good, if I had a set of alphabets but, this time, the letters were pictures of letters, and they, themselves, were scrambled, and referenced by a set of numbers. Then, the malware would pick up the mouse strokes, but would only know that they corresponded to a selection of pictures, with random names. Let’s be realistic, however. If there’s a spy camera, watching you do this, it will pick up what you enter. On the bright side, you’ll be doing this at home, probably only once a year, or so, with only the malware to contend with – unless you’ve fallen foul of the CIA, or your wife has her suspicions about you…
One day, quite by chance, you stumble upon a site at http://www.designsim.com.au recommended by your friend at the FBI (he got it from some guy in military intelligence), and you say to yourself, Hey, they stole my idea”, but you look at it anyway.

By: Matt Palmer

Matt Palmer — Tue, 18 Sep 2012 12:37:07 +0000

Mike,

fascinating research and yet another timely reminder that real world security is often broken by poor implementation (and complicated, confusing specifications!).

The timing aspect of the final stage of the attack would seem to make it harder to exploit in attended payment environments, although I may be wrong about that.

I would like to ask how the complexity/risk/reward balance of this attack plays out in an attended payment environment (for example in retail, rather than against ATMs).

By: Shaun

Shaun — Mon, 17 Sep 2012 04:29:50 +0000

so 1350 Euros in five transactions. Was each transaction for 270 Euros?

If not had Alex made a transaction for each of the amounts previously at similar ATMs?

By: Milos

Milos — Sun, 16 Sep 2012 20:27:22 +0000

“you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location.”

===

Well I do not believe so – the ‘replayed ARQC’ carries in itself the actual original transaction date – bank authorization host must catch this if submitted on a different date, also the most bank authorization hosts will catch ‘duplicate ARQC’ submission and simply DECLINE the transaction.