9/18/12

Light Blue Touchpaper Blog Archive Chip and Skim: cloning EMV cards with the pre-play attack

Light Blue Touchpaper

Security Research, Computer Laboratory, University of Cambridge
Go!

Home About Archives Authors

Chip and Skim: cloning EMV cards with the pre-play attack
September 10th, 2012 at 19:25 UTC by Mike Bond November last, on the Eurostar back from Paris, something struck me as I looked at the logs of ATM withdrawals disputed by Alex Gambin, a customer of HSBC in Malta. Comparing four grainy log pages on a tiny phone screen, I had to scroll away from the transaction data to see the page numbers, so I couldnt take in the big picture in one go. I differentiated pages instead using the EMV Unpredictable Number field a 32 bit field thats supposed to be unique to each transaction. I soon got muddled up it turned out that the unpredictable numbers well werent. Each shared 17 bits in common and the remaining 15 looked at first glance like a counter. The numbers are tabulated as follows:
F260 14E4 F215 1434 F242 1438 F274 1438

And with that the ball started rolling on an exciting direction of research thats kept us busy the last nine months. You see, an EMV payment card authenticates itself with a MAC of transaction data, for which the freshly generated component is the unpredictable number (UN). If you can predict it, you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location. You can as good as clone the chip. Its called a pre-play attack. Just like most vulnerabilities we find these days some in industry already knew about it but covered it up; we have indications the crooks know about this too, and we believe it explains a good portion of the unsolved phantom withdrawal cases reported to us for which we had until recently no explanation. Mike Bond, Omar Choudary, Steven J. Murdoch, Sergei Skorobogatov, and Ross Anderson wrote a paper on the research, and Steven is presenting our work as keynote speaker at Cryptographic Hardware and Embedded System (CHES) 2012, in Leuven, Belgium. We discovered that the significance of these numbers went far beyond this one case. Lets go back to the start. Alex Gambin had his wallet pickpocketed in Palma, Mallorca, and within an hour of
www.lightbluetouchpaper.org/2012/09/10/chip-and-skim-cloning-emv-cards-with-the-pre-play-attack/ 1/8

9/18/12

Light Blue Touchpaper Blog Archive Chip and Skim: cloning EMV cards with the pre-play attack

the theft five ATM withdrawals had been made using his card totalling 1350, yet he never wrote down his PIN. Early on Alex smelled a rat. He contacted us and we linked his case with a wave of others across Spain. Alex talks about his case (in Maltese), and investigative journalist Sabina Wolf timed the maximum speed of consecutive withdrawals for one of the other cases in the wave of Anette Luckey (in German). She found that the ATM in question could not keep up with the withdrawal speeds which had been logged. Luckey has since been refunded but HSBC Malta has not done the same for Alex. Expecting some sort of foul play we examined Alexs log data in detail and found the vulnerabilities in the ATM. Either there is a causal linkage between Alexs fraud and the deficiencies in the ATM, or these deficiencies are extremely widespread. We then went back and reviewed log data from older disputes some still unsolved and found ATMs with similar obvious non-uniformity in the logged unpredictable numbers. We set out to systematically harvest unpredictable numbers in quantity from local ATMs to look for predictable random number generators. So far we have performed more than 1000 transactions at more than 20 ATMs and a number of POS terminals, and are collating a data set for statistical analysis. We have developed a passive transaction logger which can be integrated into the substrate of a real bank card, which records up to 100 unpredictable numbers in its EEPROM. Our analysis is ongoing but so far we have established non-uniformity of unpredictable numbers in half of the ATMs we have looked at.

We also acquired three ATMs from Ebay and have been analysing them to determine the random number generation algorithm. Our work is ongoing reverse engineering is manpower intensive.

www.lightbluetouchpaper.org/2012/09/10/chip-and-skim-cloning-emv-cards-with-the-pre-play-attack/

2/8

9/18/12

Light Blue Touchpaper Blog Archive Chip and Skim: cloning EMV cards with the pre-play attack

As we considered the ramifications of the attack we realise that there are bigger issues at stake. First, there is an easier attack than predicting the RNG. Since the unpredictable number is generated by the terminal but the relying party is the issuing bank, any intermediate party from POS terminal software, to payment switches, or a middleman on the phone line can intercept and superimpose their own choice of UN. Attacks such as those of Nohl and Roth, and MWR Labs show that POS terminals can be remotely hacked simply by inserting a sabotaged smartcard into the terminal. Such an attack is powerful as the terminal can be rigged to show transaction approval regardless of what the bank says, but such a brazen attack would be detected quickly when the merchants books fail to balance. But to use malware to inject stolen transactions would be far harder to detect and trace back, as it would be down to the cardholder to complain; and as cardholders are routinely stonewalled by banks who claim that EMV is secure, and whose fraud teams lack the skills and tools to do proper investigations, the crooks will have much longer to cash out. Second, there are legal ramifications: It can no longer be taken for granted that data in a transaction log was harvested at the time and place claimed, which undermines the reliability of evidence in both civil and criminal cases. To show that a given transaction was made by a particular card, it is now necessary to show that the random number generator on the ATM or POS was sound, and that neither the UN nor the ARQC was modified during transit. Third, there are public policy issues. Just as banking regulators were too ready up till 2008 to believe banks assurances about credit risk, so also have most regulators been insufficiently sceptical about their claims in respect of operational risk. We have described some of the complaints we receive regularly from bank customers that stolen cards have been used in circumstances where the PIN could not have been compromised, and yet whose bank refuses a refund claiming its records show the PIN was used. Many of these customers are credible witnesses and it is not believable that they are all mistaken or lying. When we investigate their claims we often find serious vulnerabilities which the industry failed to disclose. It appears that some parties were already aware of the random number deficiencies we describe in todays paper but failed to take action. This raises serious issues for regulators. Entry filed under: Academic papers, Banking security, Hardware & signals, Legal issues, Protocols
www.lightbluetouchpaper.org/2012/09/10/chip-and-skim-cloning-emv-cards-with-the-pre-play-attack/ 3/8

9/18/12

Light Blue Touchpaper Blog Archive Chip and Skim: cloning EMV cards with the pre-play attack

19 comments Add your own

1. David | September 11th, 2012 at 20:05 UTC Um it sounds like YOU are trying to steal data, not act like a savior You are trying to decode the original program and tell everyone how it is done. So now how are you attacking banks by unveiling their operational risks as well as their credit dangers? and sabotaged smartcard into the terminal whats that??? Go back to the matrix and let me get back to my life! 2. S | September 11th, 2012 at 22:48 UTC David: Do you believe in security by obscurity? 3. Dan Midwood | September 11th, 2012 at 23:57 UTC David, let me expand on Ss comment, The research above is not intended to expose flaws to exploit, but to determine the methods current exploits are using. Consider it a battle tactic, think like the enemy to defeat the enemy. 4. Steve | September 12th, 2012 at 08:01 UTC The fact is that if this WAS a current attack then fraud against chip and pin cards would be widespread and not sporadic. Can you imagine the value of such an attack to fraudsters? Why would there not be a widespread and sustained series of attacks taking high value withdrawals? Rosss team have done some good work in the past in revealing a couple of genuine, if obscure, vulnerabilities but most of their announcements are sensationalism and self-serving PR. What do you need from any secure system? Enough security to prevent economic fraud you get more back than it costs to perpetrate the attack, and that the risk of discovery is low. Now you have chip cards and you have mag stripe cards which one would YOU go after? Exactly. 5. Andreas | September 12th, 2012 at 08:01 UTC Do this vulnerabilities apply only to EMV payment cards (issued by credit card companies) or also to so called ec electronic cash chip based debit cards (mostly issued by banks)? 6. Steve | September 12th, 2012 at 08:08 UTC Also can anyone explain to me what card/bank issuing relationship allows someone to withdraw e1350 on the same day? Everywhere I go I hit the same withdrawl limits on daily use, whether in my home country, Europe or the US. Given that the ATM is online and requires either a stand-in or explicit auth from the issuer how is this possible? 7. mr nox | September 12th, 2012 at 10:11 UTC Just wondering if the code was examined on the 3 atms from ebay to look for something like collecting the card information & calling home with that info. I would really avoid using portable atms like those pictured. I have seen some in corner stores that have a phone line that
www.lightbluetouchpaper.org/2012/09/10/chip-and-skim-cloning-emv-cards-with-the-pre-play-attack/ 4/8

9/18/12

Light Blue Touchpaper Blog Archive Chip and Skim: cloning EMV cards with the pre-play attack

runs out of the back of them & just go up into the ceiling or all bunched up on the floor next to the machine. Interesting research on this topic 8. Janet | September 12th, 2012 at 19:23 UTC Interesting, what chip is being used in these cases. Is it DDA or SDA ? 9. Jonathan Rosenne | September 13th, 2012 at 04:45 UTC The attack does not seem to affect the main purpose of EMV, which is to detect cloned cards. And I cannot see the connection with the Luckey incident. 10. Mike Bond | September 13th, 2012 at 10:13 UTC @Steve Crooks in general feed like parasites on society. If they hurt the banks or customers too hard then a new round of innovation is forced and the banks come up with a countermeasure or fund the police to try and arrest them. Therefore it is in their interest to commit enough fraud to get rich but not so much that they get hunted down and stopped. Simply put, they get too greedy, they lose. All new fraud methods start out small and benefit the smart crooks, before they get industrialised and enventually are countered by a new defence. Magstripe fraud is still possible but it is becoming harder too hence the need for innovation in the criminal community. @Andreas They apply to emv based credit debit and cash cards. Im not sure exactly what you mean by EC electronic cash, but something like the older Proton scheme it may not apply to. @Janet We mainly focussed on ATMs for the work in this report. According to our empirical analysis, most ATMs do not perform SDA or DDA, whether the card supports them or not. So the card type SDA/DDA/CDA is irrelevant. @Steve, yes 1350 withdrawn within just a couple of minutes. It is surprising. @Jonathan. the purpose is to detect cloned cards? I thought the purpose was to prevent card cloning, not just to detect it. The gambin case is connected to our research because it was the case during which we discovered defficient RNGs. The Gambin case has a similar withdrawal pattern, and context (stolen card) to the Luckey case. And both these cases appear to be part of a wave of fraud taking place in Spanish coastal resorts. Mike 11. aff | September 13th, 2012 at 11:55 UTC @Mike: 1350 withdrawn from a single account within the hour can be explained by ATMs programmed to do offline verification (i.e. ask the chip) only of account balance and limits. Historically, the offline verification was designed in a time where phone calls were expensive (e.g. France
www.lightbluetouchpaper.org/2012/09/10/chip-and-skim-cloning-emv-cards-with-the-pre-play-attack/ 5/8

9/18/12

Light Blue Touchpaper Blog Archive Chip and Skim: cloning EMV cards with the pre-play attack

late 90-ies). This new chip clone technique takes advantage of that, meaning the transaction(s) will not be reported to the bank until certain thresholds are met. Disclamer: I work in the creditcard anti fraud industry. 12. Quintesse | September 13th, 2012 at 11:56 UTC @Steve: I can easily get 1000 from an ATM here in Spain and up to 3000 in purchases with a merchant. 13. NerishiQaMaster | September 13th, 2012 at 16:02 UTC Very interesting research, following on from similarly impressive work by UoC congratulations! Almost as interesting, if not more so, are those posts indicating scepticism, blind disbelief, pure latent ignorance or perhaps an undisclosed agenda? (As distinct from some very insightful comments and posts). Those of us who work in security will recognise a pattern here: flat denial that an issue exists, followed by anger at being publicly proved wrong and accusations that you, not the solution provider, are the problem for daring to research and disclose your findings. This is too often coupled with the Who cares? its not a real problem outlook. The NEXT stage were looking at fixing this only arrives when someone demonstrates what has been obvious to a thinking person from the outset: if its a feasible attack, then even if it requires undergraduate-level education, and the factor of malicious intent, thats still a very, very large number (5 figures?) of potential culprits in a globally-connected system. Perhaps the only saving grace here is that, as no rule is absolute, some of the card providers must be exceptions to the above nonsense. Just hope theyre YOUR provider. 14. Jonathan Rosenne | September 13th, 2012 at 16:30 UTC @Mike I did indeed mean detect. Prevention depends on detection. It is up to the issuing bank to act upon the detection, EMV does not tell them what to do when the ARQC fails verification. I do indeed expect them to decline the transaction and attempt to retain the card, but this is not always possible. Detection, even if post factum, is. 15. haha | September 13th, 2012 at 17:14 UTC ha ha you have just discovered this well done. they have known of this since 2009. thanks for once again making our findings public 16. David Harbige | September 14th, 2012 at 06:35 UTC
www.lightbluetouchpaper.org/2012/09/10/chip-and-skim-cloning-emv-cards-with-the-pre-play-attack/ 6/8

9/18/12

Light Blue Touchpaper Blog Archive Chip and Skim: cloning EMV cards with the pre-play attack

Its a shame that what appears to be valuable and legitimate research has (once again) been wrapped up in sensationalist, self-serving scare-mongering headlines. This isnt a flaw in EMV technology or security its a flaw in how some ATMs have been implemented, hence a flaw in the certification process. This isnt card cloning, any more than taking a picture of somebody is cloning a human this is making an imperfect faxsimille of a card that can be used in a very specific, very limited way to defraud the system. That said, I think the research itself is very interesting, and I agree with the (non-sensational) conclusions: there *is* an exploitable weakness in the system as a whole and therefore Issuers should do more to ensure they can detect the possibility of such an attack having occurred. 17. Louis B. | September 14th, 2012 at 21:25 UTC If only the issue was technical If, as the article mentions, Mr. Gambin hasnt been reimbursed by HSBC, it points to a misplaced responsibility. If theres no sweat by the bank, theres no incentive to fix their system. There are too few victims and the bank can stonewall them. On the other hand, if they were forced to compensate victims, you can be sure that they would clean up their act. For example, as Mr. Harbige suggests, by tightening up the certification of client terminals. 18. Milos | September 16th, 2012 at 20:27 UTC you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location. === Well I do not believe so the replayed ARQC carries in itself the actual original transaction date bank authorization host must catch this if submitted on a different date, also the most bank authorization hosts will catch duplicate ARQC submission and simply DECLINE the transaction. 19. Shaun | September 17th, 2012 at 04:29 UTC so 1350 Euros in five transactions. Was each transaction for 270 Euros? If not had Alex made a transaction for each of the amounts previously at similar ATMs?

Leave a Comment
Name Email Url Required Required, hidden

www.lightbluetouchpaper.org/2012/09/10/chip-and-skim-cloning-emv-cards-with-the-pre-play-attack/

7/8

9/18/12

Light Blue Touchpaper Blog Archive Chip and Skim: cloning EMV cards with the pre-play attack

Comment
Submit

Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> Subscribe to the comments via RSS Feed

Calendar
September 2012 M T W T F S S 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Aug Log in

www.lightbluetouchpaper.org/2012/09/10/chip-and-skim-cloning-emv-cards-with-the-pre-play-attack/

8/8