University of Cambridge researchers have found that many automated teller machines (ATMs) and point of sale (POS) terminals do not properly generate random numbers, as required by the Eurocard, MasterCard, and Visa (EMV) protocol, to securely authenticate transaction requests.
The researchers say defective random generation algorithms can leave payment devices susceptible to pre-play attacks, which allow criminals to send fraudulent transaction request from rogue chip-enabled credit cards.
The EMV protocol requires that payment cards with integrated circuits must be capable of performing certain cryptographic functions, and EMV-compliant devices need to generate unpredictable numbers (UNs) for every transaction request. The researchers analyzed UNs generated for more than 1,000 transactions by 22 ATMs and five POS terminals in the United Kingdom and searched for patterns that suggest the use of weak random number generation algorithms by those devices. The card uses a secret encryption key that is securely stored on its chip to compute an authorization request cryptogram (ARQC) from the transaction data and the UN. The researchers say that if attackers can predict what UN a particular ATM or payment terminal model will generate, they can force payment cards to compute ARQCs for transactions with a future date and then use those ARQCs with rogue chip cards.
From IDG News Service
View Full Article