Rest of industry still sitting on its hands over 9-year-old threat
Elements of the payment card industry have introduced a new contactless payment card security feature, designed to defend against relay attacks.
Relay attacks were first demonstrated nine years ago by a team of computer scientists Saar Drimer and Steven Murdoch.
The pair also suggested how the security flaw can be mitigated using a technique called distance bounding). Mastercard has taken up this defence, meaning its cards (at least) are protected.
“Finally the banks are now implementing this defence, though only for contactless cards (as they are more vulnerable than the contact Chip and PIN cards that were available in 2007), and so far only for MasterCard cards,” Murdoch told El Reg.
Murdoch says that although the relay attack is real it’s unclear whether or not fraud based on the security weakness has actually taken place.
“I’m not aware of any confirmed cases, other than academic experiments. However, unless this were a widespread fraud, I don’t think I would have heard about it even if it had happened,” Murdoch explained.
“There have been bank customers who have come to me or colleagues to say that they have been refused a refund for a Chip and PIN transaction that they said did not take place.
In some of these cases it might have been a relay attack, but in almost every case it is never established what happened.”
“The banks have taken the position that a relay attack is unlikely and since the decision of whether a bank refunds the customer is based on the most likely explanation, the bank always presents another scenario as being the most likely (normally customer negligence),” he added.
Murdoch only found out that MasterCard had moved to defend against the relay attack because he regularly looks at the EMVCo specifications and noticed this change.
“While the new feature is far from a secret, I don’t think MasterCard are drawing attention to it,” he explained. “Now that the MasterCard specification is out I am sure the other card schemes have considered what they will do, but I have no indication of a decision.”
The security researcher has put together an article on Mastercard’s move and relay attacks more generally for the University College London information security group’s Bentham’s Gaze blog, which can be found here.
Pass the baton: Relay attack [source: UCL blog post]
Sponsored: 2016 Cyberthreat defense report