Computer Laboratory

Security Group

Chip Authentication Programme (CAP) vulnerabilities

by Saar Drimer, Steven J. Murdoch and Ross Anderson

Executive summary

The Chip Authentication Programme (CAP) has been introduced by banks to deal with the soaring losses due to online banking fraud. Our analysis shows that while CAP readers are an improvement over static passwords, due to excessive optimisation they open new ways of attack. The move from signature to PIN for authorising point-of-sale transactions shifted liability from banks to customers, where the Banking Code is ineffective; CAP introduces the same problem for online banking, where there is no statutory protection for cardholders. This is a security engineering and regulatory failure that allows banks to deploy cheap devices and reduce customer protection.

Background

The full results of our study are reported in “Optimised to fail: card readers for online banking” published at Financial Cryptography, February 2009.

Questions and answers

What problem does CAP address?

Losses in the UK from online banking fraud were £21.4m in the period of January to June 2008, an increase of 185% when compared to the same period of the previous year. The most common form of attack is “phishing” where criminals send emails impersonating banks, asking customers to click on a link under some false pretence; if they do, a malicious copy of their bank's website asks for their user name and password, so the attackers can login to the victim's bank account. Another common attack involves malicious software that is covertly installed on the victim's PC for stealing login details.

How do CAP readers work?

Inserting a Chip & PIN card, and entering the PIN into the CAP makes it display a one-time code that is used with an on-line banking site to prove to the bank that the person logging in is the owner of the account. For some on-line operations banks also ask the the customer to enter a random number, account number, or amount, which are incorporated into the calculation of the one-time code.

What are the possible attacks?

One attack is on how Barclays uses CAP. With a fake or tampered Chip and PIN machine presented to the victim during a purchase, a criminal can record login codes and new-payee-setup codes to accounts he owns. He also needs to find out the user name or number for the on-line account; this could be discovered in several ways, such as calling the victim pretending to be from the bank, or making him install malware on his PC. With the codes and credentials, the criminal can now transfer money from the victim's account to his own.

What are the implications of a software version of CAP?

CAP was intended to offer a trustworthy user device to defeat the malware that infests ever more PCs. However, it is inconvenient for users, and prevents integration between home/office banking software and online accounts. Therefore, there is demand for a software implementation of CAP, which communicates with a smart card connected to a PC. Since CAP readers contain no secret it is easy to create an equivalent software version. This will lead to malware-infected PCs having unfettered access to smart cards and PINs, not only opening up online banking fraud, but also allowing cloned ATM magnetic strip cards to be made and relay attacks to be implemented

Isn't CAP an improvement?

Yes, and no. In many respects, CAP is an improvement over the existing static password scheme. However, it may not be beneficial to customers because while banks are liable for fraud due to forged signatures, there is no statutory protection for the victims of electronic fraud. UK banks have also recently changed the voluntary code of practice – the Banking Code – to make customers liable for fraud if they do not have up-to-date anti-virus and firewall software. Having deployed a new security system, even with weaknesses, the banks have further reduced customer protection.

Aren't cardholders protected by the Banking Code?

Not always. While the Banking Code does state that the bank must show that the customer is liable, it does not say what evidence the bank must record, what evidence is sufficient to prove liability, and who the proof must be presented to. In practice, where the case is heard by the Financial Ombudsman Service, the bank merely has to claim that a chip was read and a PIN was used, and the evidence used to reach this conclusion will be kept secret from the customer. We may expect a similar position to be taken when PINs are used for online banking.

Aren't you helping criminals?

Security systems improve as vulnerabilities are disclosed to the people that can fix them. We have privately informed affected organisations of our findings over three months prior to public disclosure.

Media coverage