Beware the man in the middle…
By Tom Espiner
Published: 3 March 2009 07:59 GMT
Barclays Bank has rolled out a contactless Visa debit card.
As of yesterday, Barclays customers getting new or replacement cards will receive ones containing RFID technology. This contactless technology will allow them to use the debit card for transactions of up to £10, without entering a PIN.
Owners will still be able to use the debit cards for chip and PIN transactions and for bank machine withdrawals.
The protocol behind the contactless technology has not been made available to academic security researchers, Cambridge University researcher Steven Murdoch said on Monday.
Murdoch said: "The problem with the UK contactless system is that it's secret, which means we have to reverse-engineer it to point out vulnerabilities."
"Contactless payment has been rolled out but any security vulnerabilities will be pointed out after the banks can do anything about it," he told silicon.com sister site ZDNet UK.
Murdoch said that while security researchers were restricted from viewing the protocol, people with malicious intent would be able to examine it.
"I'm sure crooks will have a copy of the spec," he said. "People can get hold of a copy if they sign a contract saying they will not make any reports [about the protocol]. Any criminals could get hold of a copy of the specification but academics are at a disadvantage."
A Barclays spokesperson told ZDNet UK on Monday that there had been extensive third-party testing of the contactless system, and said that security risks around contactless payments had been mitigated.
"Contactless is designed for small transactions, while users will periodically be asked for a PIN," said the spokesperson. "The card uses dynamic data authentication - in which a unique secret code is generated to authenticate each transaction - while the chip contains different information than the magnetic strip, to prevent cloning."
Tests have concluded that it would not be economically viable for criminals to subvert the system, the Barclays spokesperson added. "The cost of intercepting the information doesn't justify how much could be made out of the information," said the spokesperson.
Cambridge University researchers have said they have serious security concerns about chip-and-pin payment systems. Researchers Ross Anderson, Saar Drimer and Murdoch published a paper on Thursday detailing security flaws in the Chip Authentication Programme (CAP) used for UK payments cards. The main problem they identified is that online card payment systems using readers had been optimised for usability, to the extent of sacrificing security.
The researchers said they had found design errors in CAP, including a failure to ensure "freshness of responses". Murdoch said that there were no assurances in the system that card responses were not old or generated in advance, allowing for a man-in-the-middle attack.
"The lack of freshness could be exploited through a fake chip and PIN terminal in a shop," said Murdoch. "The bank asks for a response from a card reader that it hasn't seen before but that response could be hours or even days old."
In addition, authentication tokens are reused between point-of-sale and online banking transactions, Murdoch added. This effectively opens up the possibility of a man-in-the-middle attack online, he said.
Apacs, a UK trade association for the payments industry, said that it was familiar with the report by the Cambridge researchers. "The report hasn't said anything we are unaware of," a spokesperson for the group said. "It's important to bear in mind that those banks that have deployed two-factor authentication have reported a fall in fraud losses."
The spokesperson added that the Cambridge University researchers tested security to a different set of requirements to banks. "Banking industry requirements are usability - that card processes are easy for customers to understand and that cards are easy to transport," said the spokesperson.