BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//Talks.cam//talks.cam.ac.uk//
X-WR-CALNAME:Talks.cam
BEGIN:VEVENT
SUMMARY:Chip and Skim: cloning EMV cards with the pre-play attack - Omar C
 houdary (Computer Laboratory)
DTSTART:20140509T150000Z
DTEND:20140509T153000Z
UID:TALK52504@talks.cam.ac.uk
CONTACT:Steven J. Murdoch
DESCRIPTION:EMV\, also known as “Chip and PIN”\, is the leading system
  for card payments worldwide. It is used throughout Europe and much of Asi
 a\, and is starting to be introduced in North America too. Payment cards c
 ontain a chip so they can execute an authentication protocol. This protoco
 l requires point-of-sale (POS) terminals or ATMs to generate a nonce\, cal
 led the unpredictable number\, for each transaction to ensure it is fresh.
  We have discovered two serious problems: a widespread implementation flaw
  and a deeper\, more difficult to fix flaw with the EMV protocol itself. T
 he first flaw is that some EMV implementers have merely used counters\, ti
 mestamps or home-grown algorithms to supply this nonce. This exposes them 
 to a “pre-play” attack which is indistinguishable from card cloning fr
 om the standpoint of the logs available to the card-issuing bank\, and can
  be carried out even if it is impossible to clone a card physically. Card 
 cloning is the very type of fraud that EMV was supposed to prevent. We des
 cribe how we detected the vulnerability\, a survey methodology we develope
 d to chart the scope of the weakness\, evidence from ATM and terminal expe
 riments in the field\, and our implementation of proof-of-concept attacks.
  We found flaws in widely-used ATMs from the largest manufacturers. We can
  now explain at least some of the increasing number of frauds in which vic
 tims are refused refunds by banks which claim that EMV cards cannot be clo
 ned and that a customer involved in a dispute must therefore be mistaken o
 r complicit. The second problem was exposed by the above work. Independent
  of the random number quality\, there is a protocol failure: the actual ra
 ndom number generated by the terminal can simply be replaced by one the at
 tacker used earlier when capturing an authentication code from the card. T
 his variant of the pre-play attack may be carried out by malware in an ATM
  or POS terminal\, or by a man-in-the-middle between the terminal and the 
 acquirer. We explore the design and implementation mistakes that enabled t
 hese flaws to evade detection until now: shortcomings of the EMV specifica
 tion\, of the EMV kernel certification process\, of implementation testing
 \, formal analysis\, and monitoring customer complaints. Finally we discus
 s countermeasures. More than a year after our initial responsible disclosu
 re of these flaws to the banks\, action has only been taken to mitigate th
 e first of them\, while we have seen a likely case of the second in the wi
 ld\, and the spread of ATM and POS malware is making it ever more of a thr
 eat.
LOCATION:Computer Laboratory\, William Gates Building\, Room FW11
END:VEVENT
END:VCALENDAR