Karachi   ->   Sweden   ->   Karachi, again   ->   Dubai   ->   Bahrain   ->   Karachi, once more   ->   London and Leeds

Monday, December 27, 2010

Chip and PIN (aka EMV) Hacked by Omar Choudary

A recent letter by Ross J. Anderson to the banking industry has occupied the front pages of various hacker news sites. It so happened that in October 2010, Omar Salim Choudary published source code and hardware specs of SmartCard Detective---a mechanism to subvert Chip and PIN transaction; the term Chip and PIN is used for EMV in the UK.

Chip and PIN

While EMV is believed to be "the secure way of handling card based transactions," Omar managed to buy stuff with a card without knowing the cardholder's PIN at a local cafeteria as well as some retail stores. A French journalist rendered his card for the experiments and the news was broadcasted on a French TV Channel.

Since security by obscurity is the norm, when he published his work, the UK Cards Association wrote a letter to the Cambridge University to censor the student's work. Ross J. Anderson, in his response retaliated quite harshly [pdf]. The whole letter is worth reading; I am just quoting one paragraph:

Second, you seem to think that we might censor a student’s thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar’s, we have no choice but to back him. That would hold even if we did not agree with the material!

Omar's homepage not only gives specs of the hardware he used to subvert the PIN checking mechanism but gives GPL licensed source code for further research as well. He initially wanted to develop a device that sat between the card and the terminal to display what's going on in-between. He later realized that the device could be more general purpose. Threat Post provides human-readable details of what the device does:

To use the SCD, you insert a payment card into the card slot built into the board, and then you select the appropriate application on the LCD screen. Choudary built five separate apps into the SCD prototype, giving it the ability to store PINs, modify PINs, filter amounts and forward the commands from the terminal.

Hardware Security Module

It seems that Cambridge University's security research group has a long history of fiddling with the banking domain. In Feb 2003, researchers of the same university published decimalization table attack on Hardware Security Modules (HSM) [pdf]---they managed to correctly guess a PIN in 15 to 24 guesses on average.

Omar S. Choudary is from Madrid, Spain, though his name suggests some South Asian origin. He is currently a PhD student at University of Cambridge.


  1. Nice rundown with some Cambridge bank hack history to boot. Bonus. Chip and PIN "Smart" Cards throughout Canada and Europe are vulnerable to SmartCard Detective.

    But this isn't the first time since the NO PIN (yeah no pin needed if the payment method is set to signature authentication) slip was discovered and proofed by the Light Blue Touch Security Research Computer Laboratory at University of Cambridge back in February.

    Here's the older UofC paper.

  2. Very interesting. Indeed letter of Ross Anderson is worth reading & sharing.