Researchers believe that a number of ATMs and POS terminals do not generate random numbers correctly - i.e. as prescribed by the EMV protocol.
Despite the fact that the two main players in the global card market, Visa and MasterCard, today continue the process of migration to EMV cards with Chip&PIN technology in the US market, this cannot serve as a panacea for fraud risks, according to foreign industry publications. Cyber fraudsters are coming up with new, increasingly investment-intensive ways to bypass the security barriers of chip card technology. Some of these fraudulent techniques are related to the so-called. pre-play attacks that use features of the EMV protocol regarding the generation of random numbers. As you know, unlike traditional payment cards with a magnetic stripe, during an EMV card transaction, a random number sensor (RNS) generates a unique code for each “chip” transaction, making attempts by criminals to compromise critical information for the subsequent production of a counterfeit card almost pointless. However, many theories of protecting chip cards from cloning thanks to this mechanism were noticeably shaken when a group of British researchers from the University of Cambridge.
In 2024, discovered the vulnerability of EMV cards to cloning, publishing a report entitled “Chip and Skim: cloning EMV cards with the pre-play attack.” At the IEEE Symposium on Security and Privacy held in May 2024 in San Jose (California, USA), a group of researchers from the University of Cambridge added new information to their previous research. This time, researchers have pointed to a total of two critical vulnerabilities that make EMV cards vulnerable to pre-play attacks.
The first conclusion of the report concerned the identified possibility of selecting random numbers (unpredictable numbers or UN) generated by ATMs and POS terminals for subsequent compromise of EMV card data, which, within the framework of the EMV protocol, are required for secure authentication of a transaction request. Researchers believe that a number of ATMs and POS terminals do not generate random numbers properly, i.e., as prescribed by the EMV protocol. This vulnerability, they believe, could be used by cyber fraudsters to clone credit and debit chip cards, as a result of which bank security systems will be unable to distinguish a fraudulent transaction from a real one in principle.
Despite the fact that the two main players in the global card market, Visa and MasterCard, today continue the process of migration to EMV cards with Chip&PIN technology in the US market, this cannot serve as a panacea for fraud risks, according to foreign industry publications. Cyber fraudsters are coming up with new, increasingly investment-intensive ways to bypass the security barriers of chip card technology. Some of these fraudulent techniques are related to the so-called. pre-play attacks that use features of the EMV protocol regarding the generation of random numbers. As you know, unlike traditional payment cards with a magnetic stripe, during an EMV card transaction, a random number sensor (RNS) generates a unique code for each “chip” transaction, making attempts by criminals to compromise critical information for the subsequent production of a counterfeit card almost pointless. However, many theories of protecting chip cards from cloning thanks to this mechanism were noticeably shaken when a group of British researchers from the University of Cambridge.
In 2024, discovered the vulnerability of EMV cards to cloning, publishing a report entitled “Chip and Skim: cloning EMV cards with the pre-play attack.” At the IEEE Symposium on Security and Privacy held in May 2024 in San Jose (California, USA), a group of researchers from the University of Cambridge added new information to their previous research. This time, researchers have pointed to a total of two critical vulnerabilities that make EMV cards vulnerable to pre-play attacks.
The first conclusion of the report concerned the identified possibility of selecting random numbers (unpredictable numbers or UN) generated by ATMs and POS terminals for subsequent compromise of EMV card data, which, within the framework of the EMV protocol, are required for secure authentication of a transaction request. Researchers believe that a number of ATMs and POS terminals do not generate random numbers properly, i.e., as prescribed by the EMV protocol. This vulnerability, they believe, could be used by cyber fraudsters to clone credit and debit chip cards, as a result of which bank security systems will be unable to distinguish a fraudulent transaction from a real one in principle.
