Banking card readers inherently insecure

Published 26 February 2009

Hand-held bank card readers were designed to thwart online banking fraud, but cost-saving measures have resulted in design compromises that have left customers open to risk of fraud

Card readers for online banking are inherently insecure, according to a new study by Cambridge security researchers. Researchers Saar Drimer, Steven Murdoch, and Ross Anderson found a number of serious security shortcomings after reverse engineering the underlying protocol (called the Chip Authentication Program, or CAP) that underpins hand-held card readers. Readers are typically used alongside customer’s debit cards to generate one-time codes for online banking login and transaction authentication. The devices are designed to thwart online banking fraud, but cost-saving measures have resulted in design compromises that have left customers open to risk of fraud.

John Leyden writes that the researchers’ paper, Optimized to Fail: Card readers for online banking, presented at the Financial Cryptography 2009 conference this morning, explains the efforts to reduce the cost to the banks and the amount of typing done by customers have created the sort of security shortcomings akin to the introduction of Chip & PIN.

While the principle of CAP — two factor transaction authentication — is sound, the flawed implementation in the United Kingdom puts customers at risk of fraud, or worse.

When Chip & PIN was introduced for point-of-sale, the effective liability for fraud was shifted to customers. While the banking code says that customers are not liable unless they were negligent, it is up to the bank to define negligence. In practice, the mere fact that Chip & PIN was used is considered enough. Now that Chip & PIN is used for online banking, we may see a similar reduction of consumer protection.

The research was carried out by reverse-engineer hand-held card readers from U.K. banks NatWest and Barclays. Cryptographic problems uncovered by the Cambridge team include “reusing authentication tokens, overloading data semantics, and failing to ensure freshness of responses.”

Previous work by the same Cambridge researchers including unpicking the security short-comings of Chip and PIN terminals, which are used to authorize card purchases in retail environments. This research highlighted the absence of encryption in the data exchanged between PIN entry devices and cards during transactions.