Tuesday, 6 February 2007
Saar Drimer and Steven J. Murdoch, researchers at the Computer Laboratory, University of Cambridge have shown that the Chip & PIN system used for card payments in the UK is vulnerable to a new kind of fraud. By “relaying” information from a genuine card, a Chip & PIN terminal, in another shop, can be made to accept a counterfeit card.
A fraudster sets up a fake terminal in a busy shop or restaurant. When a genuine customer inserts their card into this terminal, the fraudster's accomplice, in another shop, inserts their counterfeit card into the merchant's terminal. The fake terminal reads details from the genuine card, and relays them to the counterfeit card, so that it will be accepted. The PIN is recorded by the fake terminal and sent to the accomplice for them to enter, and they can then walk off with the goods. To the victim, everything was normal, but when their statement arrives, they will find that they have been defrauded.
From the banks' perspective, there will be nothing unusual about this transaction. To them, it will seem as if the real card was used, with a chip and along with the correct PIN. Banks have previously claimed that if a fraudulent Chip & PIN transaction was placed, then the customer must have been negligent in protecting their card and PIN, and so must be liable. This work shows that despite customers taking all due care in using their card, they can still be the victim of fraud.
This attack has long been thought to be too difficult and expensive to implement, but Drimer and Murdoch have shown that it can be accomplished for less than £250, and approximately a month's development work. Murdoch notes, “We have successfully demonstrated our attack between two shops on the same street over a wireless connection, but our measurements indicate that it would work equally well, via mobile phone, to the other side of the world.”
It is unlikely that criminals are currently using techniques such as this, as there are less sophisticated attacks which Chip & PIN remains vulnerable to. However, as security is improved, the relay attack may become a significant source of fraud. Therefore, it is important that defences against this attack are deployed sooner rather than later.
In an upcoming academic paper, Drimer and Murdoch have presented a low-cost technique for detecting and preventing relay attacks. This could deployed in future versions of Chip & PIN with minor changes to the existing system. The paper also proposes that, in the meantime, merchants confirm that the number on the card presented matches the one printed onto their receipt. While not providing full protection against relay attacks, this simple measure would raise the bar for fraudsters.
The attack will be featured on Watchdog, including a demonstration of it being deployed in practice on BBC One, 7pm, Tuesday, 6 February 2007.