While we tend to focus on physical attacks that capture cardholder data, there are other attacks on card transactions where physical access and tampering are essential. Some very interesting research was presented at the recent IEEE Symposium on Security and Privacy to reinforce this point.

The research, titled Chip and Skim: Cloning EMV Cards with the Pre-Play Attack, was conducted by Mike Bond, Omar Choudary, Steven J. Murdoch, Sergei Skorobogatov, and Ross Anderson, all from the University of Cambridge, UK.

The net of the research is that weaknesses in random number generation implementations for EMV transactions can be exploited to perform fraudulent transactions. The researchers state:

“A 'pre-play' attack – authentication data are collected at one moment in time, and played to one or more possible verifying parties at some later time that is already determined when the data are harvested. The practical implementation is that a tampered terminal in a store collects card details and ARQCs as well as the PIN from a victim for use later that day, or the following day, at ATMs of a given type.”

They continue:

“The main takeaway message is that an attacker who can subvert a merchant’s premises, get access to his terminal equipment (even before it is purchased), or get control of his network connection, can do transactions that are indistinguishable from card cloning to the bank that issued the EMV card.”

We highly recommend you read the full paper for all the details. While you may dismiss the practicality of the attack, as you’ve seen through many of our past blogs and news items, criminals are always looking at way to exploit existing systems to obtain cardholder data and commit fraud. Poor physical control can make these attacks easier. Fortunately, there is a good solution to help mitigate risks of physical tampering.