Upgraded Dutch Payment Card Still Vulnerable to Relay Attack
New security features being implemented into Dutch payment cards won't stop a kind of attack that fraudsters could use in the future in order to steal money from bank accounts, according to researchers at the University of Cambridge in the U.K.
Steven J. Murdoch and Saar Drimer of Cambridge's Computer Group demonstrated on the Dutch television show "Goudzoekers" on Wednesday that a payment card with new security features is still vulnerable to a so-called relay attack.
A relay attack is a way in which fraudsters use wireless technology to obtain the bank card details and PIN (Personal Identification Number) for chip-and-PIN payment cards used throughout Europe. Chip-and-PIN cards required a person to enter a four-digit PIN at point-of-sale devices or cash machines, with the PIN authenticated by a microchip embedded in the card.
In the relay attack, the victim's card details are recorded through a tampered payment terminal. The PIN number is observed by a fraudster and then communicated to an accomplice performing a simultaneous transaction somewhere else. The accomplice has a fake, wireless-enabled payment card that uses the victim's bank details received from the tampered payment terminal to make a fraudulent transaction.
The relay attack was demonstrated by Drimer and Murdoch in 2007, but is not believed to be actively used by criminals since there are easier ways now to compromise payment cards, Murdoch said.
Banks in both the U.K. and the Netherlands have plans to upgrade payments cards with new security features to thwart different kinds of attacks. Murdoch and Drimer tested a card issued by one Dutch bank that has three new features.
One is dynamic data authentication, which allows a card to be verified as genuine without needing to connect back to the bank's systems. That prevents a so-called "yes" attack, where any PIN will be accepted for a transaction. Another feature ensures that the customer's PIN is encrypted during communication between a payment terminal and the card, preventing interception of a plain-text PIN.
The last new feature is called iCVV. Chip-and-PIN cards previously contained a copy of the magnetic stripe information, which contains account details within the card's microchip. With iCVV, the complete magnetic stripe information is no longer stored within the chip, Murdoch said.
None of the three features stopped a relay attack, as demonstrated on the show, Murdoch said. However, none of them was designed specifically to stop a relay attack, he said. The producers of "Goudzoekers" wanted to see if the new cards were still vulnerable to the relay attack, Murdoch said. The show only paid for his and Drimer's flights to the Netherlands to do the experiment, Murdoch said.
Murdoch, who has done extensive research into the security of chip-and-PIN cards, said he and Drimer didn't think the new features would prevent a relay attack. However, they accepted the show's commission in order to get "more experience in other country's systems," he said.
The Dutch Banking Association dismissed the latest experiment, saying in a statement that the relay attack is almost three years old and is too cumbersome and complex to be implemented on a wide scale.
Murdoch admits that relay attacks are difficult to pull off. But as other, easier avenues of attack are closed off due to stronger security features in the cards, it's likely that criminals "may start looking into this," he said.
The banking association argues that "criminals are too stupid and lazy," Murdoch said. "Criminals are lazy, but they're not stupid."