Chip and skim: Cloning EMV cards with the pre-play attack

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2014, Pages 49-64

  Bond, Mike ^a   Choudary, Omar ^a   Murdoch, Steven J ^a   Skorobogatov, Sergei ^a   Anderson, Ross ^a  

^a UNIVERSITY OF CAMBRIDGE   (United Kingdom)

Author keywords

[No Author keywords available]

Indexed keywords

AUTHENTICATION; CLONE CELLS; CLONING; ELECTRONIC COMMERCE; INTERNET PROTOCOLS; MALWARE; RANDOM NUMBER GENERATION;

AUTHENTICATION CODES; AUTHENTICATION PROTOCOLS; CERTIFICATION PROCESS; CUSTOMER COMPLAINTS; DESIGN AND IMPLEMENTATIONS; IMPLEMENTATION TESTING; MAN IN THE MIDDLE; SURVEY METHODOLOGY;

POINT OF SALE TERMINALS;

EID: 84914105014     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2014.11     Document Type: Conference Paper

References (24)

1. Financial Fraud Action UK, "Scams and computer attacks contribute to increase in fraud, as total card spending rises," Press Release, March 2014.
2. S. Drimer, S. J. Murdoch, and R. Anderson, "Thinking inside the box: system-level failures of tamper proofing," in IEEE Symposium on Security and Privacy (Oakland), May 2008, pp. 281-295.
3. S. J. Murdoch, S. Drimer, R. Anderson, and M. Bond, "Chip and PIN is broken," in IEEE Symposium on Security and Privacy (Oakland), May 2010.
4. S. Sellami, "L'imparable escroquerie à la carte bancaire," Le Parisien, 24 January 2012, http://www.leparisien.fr/faitsdivers/l-imparable-escroquerie-a-la-carte-bancaire-24-01-2012-1826971.php.
5. A. Kelman, "Job v Halifax PLC (not reported) case number 7BQ00307," in Digital Evidence and Electronic Signature Law Review, S. Mason, Ed., vol. 6, 2009.
6. D. Moon, J. Flatley, J. Hoare, B. Green, and R. Murphy, "Acquisitive crime and plastic card fraud: Findings from the 2008/09 British crime survey," Home Office, Statistical Bulletin, April 2010, http://webarchive.nationalarchives.gov.uk/20110218135832/http://rds.homeoffice.gov.uk/rds/pdfs10/hosb0810.pdf.
7. R. Anderson and R. Needham, "Programming Satan's computer," in Springer Lecture Notes in Computer Science vol 1000, 1995, pp. 426-441.
8. Visa Integrated Circuit Card - Card Specification, Visa International, October 2001, version 1.4.0.
9. EMVCo, LLC, "Terminal level 2, test cases," Type Approval, November 2011, version 4.3a.
10. EMV 4.2, EMVCo, LLC, June 2004, http://www.emvco.com/.
11. O. Choudary, "The smart card detective: a hand-held EMV interceptor," University of Cambridge, Computer Laboratory, Tech. Rep. UCAM-CL-TR-827, December 2012.
12. B. Jack, "Jackpotting automated teller machines redux," Presentation at Black Hat USA, July 2010, http://blackhat.com/html/bh-us-10/bh-us-10-archives.html#Jack.
13. EMV.LIB Integration Guide, Credit Call, 2009, http://www.level2kernel.com/emvlib documentation.html.
14. ATM Malware, SC Magazine, October 2013, http://www.pcworld.com/article/2058360/atm-malwaremay-spread-from-mexico-to-englishspeaking-world.html.
15. J. de Ruiter and E. Poll, "Formal analysis of the EMV protocol suite," in Theory of Security and Applications (TOSCA 2011), ser. LNCS, S. Moedersheim and C. Palamidessi, Eds., vol. 6693. Springer, March 2011, pp. 113-129.
16. M. Burrows, M. Abadi, and R. Needham, "A logic of authentication," ACM Transactions on Computer Systems, vol. 8, pp. 18-36, 1990.
17. R. Anderson, Security Engineering - A Guide to Building Dependable Distributed Systems. Wiley, 2003.
18. R. M. Needham and M. D. Schroeder, "Using encryption for authentication in large networks of computers," Commun. ACM, vol. 21, pp. 993-999, Dec. 1978.
19. S. J. Murdoch and R. Anderson, "Security protocols and evidence: where many payment systems fail," in Financial Cryptography and Data Security, 2014.
20. Visa International, "Transaction acceptance device guide (TADG) v 2.1," 2013.
21. S. Drimer and S. J. Murdoch, "Keep your enemies close: Distance bounding against smartcard relay attacks," in USENIX Security Symposium, August 2007.
22. S. J. Murdoch, "Reliability of chip & PIN evidence in banking disputes," in Digital Evidence and Electronic Signature Law Review, vol. 6. Pario Communications, November 2009, pp. 98-115, ISBN 0-9543245-9-5.
23. A. T. Markettos and S. W. Moore, "Frequency injection attack on ring-oscillator-based true random number generators," in Workshop on Cryptographic Hardware and Embedded Systems, 2009, pp. 317-331.
24. EMVCo, LLC, "Specification bulletin no. 103, unpredictable number generation," Bulletin, April 2012.