Cambridge University – Not The Full Picture

February 17th, 2010

Steven J. Murdoch, Saar Drimer, Ross Anderson, and Mike Bond, computer scientists at Cambridge University recently published a paper entitled¬†Chip and PIN is Broken, detailing an attack where a stolen chip and PIN card can be successfully used to perform a transaction. The attack involves inserting a “man in the middle” process, lets call it a “wedge”, that fools the card into thinking that the terminal does not support offline PIN and the terminal into thinking the card verified the bogus PIN entered. The paper detailing the attack can be found at:¬†Chip and PIN is Broken

While I agree that the attack is possible, I disagree with the ipso facto conclusion that EMV is broken.

Firstly this attack only applies to offline PIN, not online PIN – a minor point and certainly not a defence, but a point I think worth making as it is not clear from the paper. Yes the attack described can be executed for offline PIN, but we can detect it and then take appropriate action. Here is how-:

The terminal capabilities field (tag 9F33) from the terminal will indicate that the terminal is capable of supporting offline PIN. This attack will not change this field.

The terminal will read the CVM list from the stolen card and see that the card requires offline PIN if the terminal supports it. So the terminal will then prompt the cardholder for PIN. The fraudster will enter any bogus PIN, and the terminal will send the PIN to the card which will be intercepted by the man-in-the middle wedge, which will simply respond to the terminal with a PIN verified response. The real card will never receive the PIN verification request. The next thing the real card will see is the request from the terminal asking to go online for authorisation. I agree that there will be nothing set in the TVR to indicate that anything failed with the PIN.

The card will set the CVR to indicate offline PIN verification was not performed, and because the CVR is included in the ARQC, the attack cannot change this (which is confirmed in the Cambridge University paper).

So we have a conflict – the CVR which is sent to the issuer in the Issuer Application Data (IAD) says no offline PIN occurred, the terminal capabilities field says offline PIN supported by the terminal and the TVR has nothing flagged to indicate PIN bypass or PIN PAD not working. If a card is set up to always require offline PIN to be entered (even if bypass is allowed), and if the terminal supports offline PIN, then this combination of TVR, CVR and terminal capabilities is not valid under EMV. I agree with the Cambidge University paper this will not be detected at the terminal, but it could be detected at the issuer host because terminal capabilities and IAD must be sent to the issuer in field 55. If this is an online transaction, then the issuer can decline. If the attack occurs for an offline transaction, then the issuer will detect it after the fact, but can then still take action to stop the card for any subsequent transactions.

While I would agree that today most issuer hosts are not set up to detect this type of attack, it could be done. And thanks to the work of Steven J. Murdoch, Saar Drimer, Ross Anderson, and Mike Bond, banks are at least aware that they may need to stop these sort of attacks, even if they are for the purpose of seeking publicity, rather than for financial gain.

If you would like to provide feedback on this, or any previous blogs, you are welcome to email us at blog@cotignac.co.nz