Chip and PIN card vulnerabilities
May 21, 2014
May 21, 2014
While the chip credit cards are quite widespread in Europe, the U.S. relied on older magnetic stripe cards till recent future. The hacks of POS machines and subsequent credit card frauds have however urged several U.S. institutions to switch to the chip-and-PIN or EMV cards, claiming them to be invulnerable to similar attacks. But the team of five researchers form the Cambridge University has discovered that the thieves can use stolen EMV cards without knowledge of the correct PIN already in 2010. They have now published a paper on two other major vulnerabilities of the chip-and-PIN cards.
Both of them utilize the flaws in the protocol used to authenticate the card by Authorization Request Cryptogram (ARQC). While the first one allows the cloning of legitimate cards by using ARQCs pre-computed on the basis of weak random number generators in many POC machines, the second one is much deeper. It makes the protocol vulnerable to the man-in-the-middle attacks when the issuing bank relies on the authentication by the POS machine allowing the attacker to submit the bank with pre-computed ARQCs. The researchers believe that these techniques are already being used by card fraudsters as has happened before with their no-PIN vulnerability.