MasterCard may have made a mistake when it rolled out
two-factor security for online banking without exposing the
technical standards behind it to public scrutiny.
NatWest and Barclays have sent about five million readers, based
on the MasterCard standard, to their customers so far. The card
readers, such as the Pinsentry device from Barclays, read the chips
in bank cards to generate a single-use secure password.
But the technology has come under fire from
researchers at Cambridge University, who published a paper last
month outlining what they claim are a series of serious security
risks posed by the two-factor technology.
Cambridge University researcher Steven Murdoch says it was a
mistake for MasterCard not to expose its
Chip
Authentication Program (CAP) to public scrutiny.
Too late to fix
weaknesses
Now that the technology is in use it is too late to fix
weaknesses, he says. "It is an accepted principle that security
through obscurity should not be relied upon.
"By publishing the specification of CAP, researchers and other
interested parties would be able to identify weaknesses and propose
improvements, before the system was deployed," he says.
Murdoch and his colleagues at Cambridge University
reverse-engineered the card readers from NatWest and Barclays. They
discovered, among other security risks, that the technology was
vulnerable to real-time man-in-the middle attacks
(see box),
tampering by criminals and sophisticated phishing attacks.
Murdoch says it is essential that standards such as CAP are made
public before they are used. All the more so when organisations
that are not involved in its design rely on the system working
properly.
"Customers' accounts are being protected by CAP, but they
[customers] are not being told how CAP works and independent
parties cannot examine its security," he adds.
Murdoch says although it is not technically hard to fix the
problems exposed by Cambridge University, it will be expensive and
could cause embarrassment to banks that have rolled the systems
out. Banks would need to replace card readers, and probably the
cards too, which he says could take several years.
Chip and Pin underwent
public scrutiny
In contrast to CAP, the chip and Pin specification, which allows
retailers to verify the identity of credit and debit card holders
through a reader, was largely exposed to public scrutiny. Chip and
Pin was a UK government initiative that used a security standard
from Europay, MasterCard and Visa, known as EMV,
It has been subject to study and improvement since the release
of its initial version in 1996, says Murdoch. "The security of [the
part made public] appears to have been reasonably sound by the time
it was deployed. Unfortunately, not all of chip and Pin was made
public, and flaws have been found in the remainder, but only after
deployment."
Murdoch says CAP, as it is used in the UK, is too easy a target
for fraudsters. "As more banks use CAP, there will be
more temptation for criminals to exploit its weaknesses, so
deploying a more secure system would be advisable."
MasterCard would not comment on why it decided to keep the
standard secret, but did say the principle behind CAP is sound.
Effectiveness of CAP under
review
"Since the initial roll-outs, MasterCard has continued to review
effectiveness of the standard, and shares, on a regular basis, best
practices on the use and deployment of CAP with all the
stakeholders of the CAP implementation chain," adds MasterCard.
The Association of Payments and Clearing Services (APACS), the
trade association for the payments industry, says the findings of
the research should not get in the way of the fact that devices are
out there, being used and reducing fraud.
"If in the longer term the security of the devices is
threatened, then of course the technology and the standard that
goes with it will be reviewed," says APACS.
| Some of the vulnerabilities in
MasterCard's PAC standard revealed |
|---|
- Phishing attacks could trick a user into entering fraudulent
details into the card reader and sending them to the attacker.
- The software in the PC used to control the card reader could
come into contact with malware.
- Criminals could use doctored chip and Pin readers to harvest
card details.
- Criminals could tamper with card readers, which are readily
available on eBay, and use them to copy chip details and record
Pins.
- Muggers could force the user to hand over their card and their
Pin while they remotely take
money.
|
CAP protocol is
sound
In contrast to Cambridge University's findings, Richard Brain,
technical director at security supplier Procheckup, believes
publishing the CAP standard would have been a mistake. "Certainly
the CAP standard has been weakened because of this research, though
not fatally."
He says banks can add more security and checks to their websites
to compensate for any exposed weaknesses.
"The report was impressive technically from the reverse
engineering viewpoint though it contained little to concern me over
the CAP protocol," Brain adds.
Whether or not to publish details of any security standard is a
matter to debate. Should you open it up and let people test it out,
or should you keep it secret? Either way, determined criminals have
the time and resources to crack the code.
| Real-time man in the middle
attacks |
|---|
Criminals use malware to surreptitiously copy personal banking
details, such as passwords and loginnames. The attacker makes independent connections with the victim and
the banking website and relays messages between them. The bank and
the customer appear to be in direct contactover a private
connection, when in reality the conversation is controlled by the
attacker. |
Useful links: