Cambridge Researchers Uncover Chip and Pin Security Flaw


Researchers at the University of Cambridge recently discovered a vulnerability in chip-and-PIN technology that could enable the cloning of bank cards.

"In a paper [PDF file] presented to a cryptography conference in Belgium on Tuesday, the ... researchers said the flaw undermined banks' claims that the chip-and-PIN or 'EMV' system was prohibitively expensive to clone," writes ZDNet's David Meyer. "'We can now explain at least some of the increasing number of frauds in which victims are refused refunds by banks which claim that EMV cards cannot be cloned and that a customer involved in a dispute must therefore be mistaken or complicit,' the researchers said in the paper's abstract."

"Researcher Mike Bond, one of the authors of the paper, discussed the flaw on a blog posting," writes TechWeekEurope's Tom Jowitt. "He revealed he began looking at the problem after a customer of HSBC, Alex Gambin, had his wallet pickpocketed in Palma, Mallorca, and within an hour of the theft five ATM withdrawals had been made using his card totalling €1,350 ... 'We examined Alex’s log data in detail and found the vulnerabilities in the ATM,' wrote Bond on his blog. He said the problem was to do with half of the ATMs they had studied not generating random numbers."

"Each time a customer is involved in a chip and pin transaction, be it withdrawing cash or purchasing goods in a shop, a unique 'unpredictable number' is created to authenticate the transaction," BBC News reports. "The unpredictable number (UN), generated by software within cash points and other similar equipment, is supposed to be chosen at random. But researchers discovered that in many cases lacklustre equipment meant the number was highly predictable, because dates or timestamps had been used."

"The researchers say they notified the appropriate banking industry organizations of their findings in early 2012, but opted to publish their work because it they believe it helps to explain good portion of the unsolved phantom withdrawal cases reported to them for which they previously had no explanation," writes Krebs on Security's Brian Krebs.