The security of many cryptographic schemes, such as banking transactions, rely on the unpredictability of so-called challenges. When one can predict the challenge the verifying party will make, it becomes possible to compromise the security of this authentication step. Such an attack allows adversaries to impersonate someone and steal his funds in a recent attack on EMV – the major protocol used for chip transactions by banking cards.

A common method of authentication is requesting a signature on a random number. Due to the unpredictability and uniqueness of this number, the signature has to be fresh. Given that the signature cannot be forged, this means that the number has been signed by the owner of the signature. However, when the number is unique or predictable, a signature that has been put on a previous legitimate transaction may have been reused.

Repeating for Equal Results
Perhaps you had a secret handshake or password as a child. Whenever you showed knowledge of the code, you were allowed in the secret club. As one can see, the problem with this scheme is that if anyone observes you while you perform the secret action, he can repeat it – given that we are not concerned with acrobatics.

A replay attack is the exploitation of the repeatability of a security mechanism. If you need to show the bank a signed document authorising a transfer of 10 Euro to a certain bank account, the person possessing this document can simply show it again to perform the transaction once more. Luckily, banking cards are not susceptible to a replay attack.

Systematic Numbering as Grave Security Problem
Besides the replay attack, we have the pre-play attack. This attack abuses the predictability of badly implemented unique elements. In other words, when the security of an authentication mechanism relies on a random number that is not random in practice, we can forge transactions.

In a recent paper, Bond et al. (2012) show that the pre-play attack can be used to forge banking card transactions. They used a modified banking card reader to prepare transactions in which the predicted challenge was used. By harvesting signatures in this way, adversaries can prepare transactions which can be played in a later stage to steal funds. Unfortunately, a lot of banking devices implement EMV such that the pre-play attack is possible.

To illustrate, imagine you pay using your banking card in a shop. Although everything seems normal, the shop owner can request additional signatures from your banking card on numbers he predicts to be used by ATMs. By using these signed numbers, the shop owner can play a prepared transaction on an ATM in a later stage, thereby stealing your money.

Random: Hard, but Important
Implementing real randomness in computing systems is surprisingly difficult. This is due to the fact that computers think logically, while we want those numbers to be unpredictable. Nevertheless, for secure applications, it is of great importance that an unpredictable value really is unique and fresh. As we can see from the attack on EMV, failing to do so in ATMs can lead to real losses.

One Response to Predicting Chip and PIN Transactions

  1. […] the previous explained replay attack (28 September 2012) is possible. When you send such a request per mail to a certain vendor, he could forge a new letter […]

Leave a Reply

Your email address will not be published. Required fields are marked *