September 12, 2012, 1:29 AM — Many automated teller machines (ATMs) and point-of-sale (POS) terminals fail to properly generate random numbers that are required by the EMV protocol to securely authenticate transaction requests, according to a team of researchers from the University of Cambridge in the U.K.
The use of defective random number generation algorithms make those payment devices vulnerable to so-called "pre-play" attacks that allow criminals to send fraudulent transaction requests from rogue chip-enabled credit cards, the researchers said in a paper released Tuesday.
The EMV (Europay, MasterCard and Visa) standard requires the use of payment cards with integrated circuits that are capable of performing specific cryptographic functions. These cards are commonly known as chip-and-PIN cards, EMV cards or IC (integrated circuit) cards.
EMV-compliant devices need to generate so-called "unpredictable numbers" (UNs) for every transaction request in order for the card issuers to verify the "freshness" of these requests.
Older versions of the EMV specification didn't provide clear instructions for how these random numbers should be generated and only required that payment devices generate four different consecutive UNs to be compliant.
"So, if you're a programmer, you can implement this as a counter," said Ross Anderson, professor of security engineering at Cambridge University and one of the paper's authors. "We found ATMs and PoS terminals where this is what they [the manufacturers] seem to have done."
The researchers analyzed UNs generated for over 1,000 transactions by 22 different ATMs and 5 PoS terminals in the U.K. and searched for patterns that would suggest the use of weak random number generation algorithms by those devices. They also reverse engineered ATMs acquired from eBay to inspect their UN generation algorithms.
When a payment device wants to initiate a transaction it sends the transaction details -- the amount, the currency, the date of the transaction, etc. -- to the EMV card inserted in its card reader together with a UN generated on the fly.
The card uses a secret encryption key that is securely stored on its chip to compute an authorization request cryptogram (ARQC) from the transaction data and the UN. The payment device then sends this cryptogram together with the encrypted PIN and the UN in plain-text form to the card issuing bank for verification.
The bank decrypts the ARQC and validates the information inside. It also compares the UN found inside the cryptogram with the plain-text one and if they match, it treats the transaction as fresh and authorizes it.
The payment device could end up generating predictable numbers instead of random ones due to a bad design, Anderson said.