Many automated teller machines (ATMs) and point-of-sale (POS) terminals fail to properly generate random numbers that are required by the EMV protocol to securely authenticate transaction requests, according to a team of researchers from the University of Cambridge in the U.K.
I am selling EMV software reader writer. Escrow Balance: 0$ #1. Hello Carders. I have the following products: X2 Software reader writer No ARQC generator (you have to generate ARQC for DDA Bins (dynamic bins) or you can use it without ARQC for the Sda bins (Static Bins) - Works Word Wide. New EMV Software 2016 ICQ: 652228289 - Write cards with ARQC or Unique ARQC - Wrtie cards with County, Currency code - Wrtie Discretion Data - Write Track 1 Discreton Data - Change Data: Pref Name, Effective Data and Expiration Data This software comes with a license key. If someone tries to sell without a license then it will not work.
The use of defective random number generation algorithms make those payment devices vulnerable to so-called 'pre-play' attacks that allow criminals to send fraudulent transaction requests from rogue chip-enabled credit cards, the researchers said in a paper released Tuesday.
The EMV (Europay, MasterCard and Visa) standard requires the use of payment cards with integrated circuits that are capable of performing specific cryptographic functions. These cards are commonly known as chip-and-PIN cards, EMV cards or IC (integrated circuit) cards.
EMV-compliant devices need to generate so-called 'unpredictable numbers' (UNs) for every transaction request in order for the card issuers to verify the 'freshness' of these requests.
Older versions of the EMV specification didn't provide clear instructions for how these random numbers should be generated and only required that payment devices generate four different consecutive UNs to be compliant.
'So, if you're a programmer, you can implement this as a counter,' said Ross Anderson, professor of security engineering at Cambridge University and one of the paper's authors. 'We found ATMs and PoS terminals where this is what they [the manufacturers] seem to have done.'
The researchers analyzed UNs generated for over 1,000 transactions by 22 different ATMs and 5 PoS terminals in the U.K. and searched for patterns that would suggest the use of weak random number generation algorithms by those devices. They also reverse engineered ATMs acquired from eBay to inspect their UN generation algorithms.
When a payment device wants to initiate a transaction it sends the transaction details -- the amount, the currency, the date of the transaction, etc. -- to the EMV card inserted in its card reader together with a UN generated on the fly.
The card uses a secret encryption key that is securely stored on its chip to compute an authorization request cryptogram (ARQC) from the transaction data and the UN. The payment device then sends this cryptogram together with the encrypted PIN and the UN in plain-text form to the card issuing bank for verification.
The bank decrypts the ARQC and validates the information inside. It also compares the UN found inside the cryptogram with the plain-text one and if they match, it treats the transaction as fresh and authorizes it.
The payment device could end up generating predictable numbers instead of random ones due to a bad design, Anderson said.
It is better for the bank to generate the UN and send it to the card, he said. Then the card would use the unpredictable number and the transaction details to compute an ARQC, which would be sent back to the bank for verification.
If attackers can predict what UN a particular model of ATMs or payment terminals will generate at a future point in time, they can force genuine cards to compute ARQCs for transactions with a future date and then use those ARQCs with rogue chip cards.
In one scenario, for example, a customer goes into a coffee shop that happens to be controlled by a criminal gang and which uses payment terminals with maliciously modified firmware.
The customer would then insert his payment card into one of the rogue terminals in order to pay for his coffee. When this happens, the terminal would record the customer's payment card information and PIN and, in addition to initiating the legitimate payment, would force the card to generate an ARQC for a transaction with a future date and a specific UN.
In this case, the UN would be a number the attackers know that a particular ATM model will generate at a future point in time. After receiving the ARQC from the card, the rogue terminal wouldn't submit it to the card issuer for verification and wouldn't display anything on the screen.
A criminal would then be able to create a rogue card with information matching the customer's genuine card and program it with the pre-recorded ARQC. That card could later be used to withdraw an amount of money specified in the pre-generated ARQC when the time is right and the target ATM generates the predictable UN.
Pulling off this type of attack at a PoS terminal in the U.K. for example would not even require the correct PIN, Anderson said. PoS terminals don't send PINs to card issuers and validate them offline instead, by comparing them to values stored on the cards themselves. Since an attacker is using a rogue card they can program whatever PIN value they want on it and just type that at the PoS terminal, Anderson said.
What appears in the issuing bank's records as a result of a pre-play attack is no different from what would appear as a result of traditional card cloning attacks, a type of attack that the banking industry has repeatedly claimed cannot happen with EMV, Anderson said.
Fixing the UN generation algorithms would not prevent all pre-play attack scenarios, the researchers said in their paper. As long as the UNs are generated by the payment devices and not the card issuers, other attack methods are possible, as malware running on an ATM could sabotage the UN choice, the researchers said.
This research shows that when a customer disputes a transaction, the transaction logs from the acquiring bank and the merchant need to be taken into consideration in addition to the logs of the card issuing bank, Anderson said.
'We take anything of this nature extremely serious, but what we would say is that there is absolutely no evidence that this type of fraud is happening in the real world,' said Mark Bowerman a spokesman for the UK Cards Association. 'Part of the reason for that is that this is a very complicated and technically difficult attack to achieve.'
Anderson disputes that. 'We present the evidence in the paper,' he said. 'We gave them advance responsible disclosure of this. We discussed it with bank officials in February, so the industry has known about this and some insiders have admitted that they knew it was a problem.'
In their paper, the Cambridge researchers said that they started researching possible issues with EMV unpredictable numbers after looking into the case of an HSBC Bank customer from Malta who was declined reimbursement for what the customer claimed were fraudulent transactions performed at an ATM in Palma de Mallorca, Spain in June 2011. In that case the transaction logs obtained from the bank revealed that UNs associated with the disputed transactions were predictable.
'Since we became aware of the contents of this paper, the industry has undertaken steps to ensure that this type of attack can't happen,' Bowerman said. 'In the unlikely event that it were to happen, and there's been no evidence to date that an attack of this nature has happened, anybody who's been an innocent victim of this fraud would get their money back from their bank.'
When the card is generating arqc algorithm, does card number play any role ? In other words: having 2 brand new cards with ATC set to 0 and having the same CDOL, will they generate the same arqc ?
Card number and ATC are involved in session key generation. So every card will generate a different cryptogram.
Since I am not sure whether you are referring to the same card number (Assuming you were able to clone a card :) Still the cryptogram generated will be different for your first try for your both cards . If you look for CDOL, you can see an element unpredictable number( which is generated by terminal ). This is a 4 byte numeric field and chance of getting this generated same twice is very rare. Even in case where unpredictable number is same, still you need all other elements in CDOL same (amount, currency, country date atc etc) to get the same cryptogram. To block even this rare possibility issuers maintain the last used ATC for each card that it will not accept any ATC same or less. Hope it is clear.