According to the researchers, despite assurances by banks, cards with chip and pin technology are vulnerable to a form of cloning because of poorly implemented cryptographic methods in ATM machines or other similar devices.
The reason behind incorporating a chip inside a credit card or debit card is to have some sort of authentication in place and to have better protection as compared to simple swipe cards based on magnetic strips.
Researchers, in their paper, have noted “Payment cards contain a chip so they can execute an authentication protocol.”
“This protocol requires point-of-sale (POS) terminals or ATMs to generate a nonce, called the unpredictable number, for each transaction to ensure it is fresh”, they add further.
If we go into some basics of how the chip and pin cards work, there is this “unpredictable number” that is used to authenticate any transaction carried out by chip and pin card users. Now this number has to be generated by software within ATM machines or other cash points in a totally random fashion. But, it turns out that researchers, thanks to lackluster equipment, have stumbled upon instances wherein date and timestamps were being used.
Considering that date and time are always progressing in a forward fashion, it is easy to predict the values. According to the boffins, this is the vulnerability that may allow people with malicious intent to quickly clone such cards in minutes through a method commonly known as “pre-play attack.”
“If you can predict [the UN], you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location,” notes Mike Bond in a blog post.