Software to crack the encryption used by credit card chip-and-PIN readers has been publicly released on the web.
Cambridge University research student Omar Choudary open-sourced and published the code on Wednesday, along with technical details of hardware used in the Smart Card Detective, a device he built and used to modify a transaction between a credit card and a reader.
"The device can modify communications between a credit card and a terminal," Choudary told ZDNet UK. "It looks at the commands between the terminal and the card, sees the PIN requested and replaces the PIN."
Using the Smart Card Detective, Choudary said he was able to carry out a card transaction without a valid PIN. Instead, he successfully modified the EMV — Europay, MasterCard, Visa — protocol that underlies chip-and-PIN validation.
Choudary built the device to provide a practical demonstration of Cambridge University research, including a crack of chip and PIN published in February. While the earlier researchers constructed a device to demonstrate their method, they did not publish the software they used or details of circuit boards.
"I would like this as an open framework for research to investigate how the protocol works, and to secure what's remaining," said Choudary.
As the hardware plans and software are now available publicly, they could be used by criminals to commit card fraud. Choudary responded to a question about this risk by saying that full disclosure of the details was necessary to get banks to tighten up the security of chip and PIN.
"We told banks about this nine months ago — there's no point in hiding it," he said. "The banks already know about the device, and the idea is that this gets fixed."
Choudary said that he had successfully tested the device in an HMV store in Cambridge. "At the beginning, that shop was not aware [that the transaction was invalid]," he said. "They didn't detect anything."
HMV only became aware of the faked transaction when Choudary alerted it to the test, he added.
The UK Payments Association, which represents the interests of payment cards companies, said that an attack using the device would be unlikely to be carried out by anyone other than researchers.
"Such a public disclosure [of hardware and software]... does help to increase the criminals' knowledge base, so is not ideal. But we still believe that it is unlikely that criminals will be motivated to undertake an attack such as this," said the association's spokesman Mark Bowerman.
Criminals need to get hold of a physical card to perpetrate the attack, Bowerman noted. Once they have one, they would be more likely to use it for fraud where a physical card is not needed, such as online fraud, rather than use a device to fool a card reader, he said.
"Essentially this is a difficult and complex fraud to carry off, and we have seen no evidence of criminals attempting it in the real world," he said. "It is a complex fraud, it doesn't work if the victim has reported their card lost or stolen, [and] it is technically possible for card issuers to detect such an attack in the live environment."
Talkback
"it is technically possible for card issuers to detect such an attack" when translated means "not very bloody likely though"
And nine months with, as far as one can tell from this story, any positive action from the banks?
I don't think going public with the code is the right way to make this more secure, but I can appreciate why frustration can lead people to take such drastic action.
This post has been removed by a moderator.
Agreed aye.
"I don't think going public with the code is the right way to make this more secure, ..."
Absolutely it is. This is the only way that previous vulnerabilities got fixed. If the banks and EMV seriously want researchers to stop making attacks public, then they need have a more constructive attitude toward fixing security problems rather than denying and obfuscating about them.