Cambridge University – Payment systems

One day in Barcelona, a British sailor splashed out on the most expensive round of drinks of his life – without even knowing it.

It started off fairly innocuously, as he wandered into a bar and bought a round for 34 euros using his bank card. Shortly afterwards, 3,400 euros left his account. An hour later, the same thing happened again. And again, on the hour every hour for ten hours.

The sailor contacted his bank, which said its system was perfect and accused him of lying or being in league with the criminals. At this point, he got a lawyer, who sought some advice from an expert.

“I managed to provide the evidence that this incident was the result of malware in the terminal, using a particular protocol manipulation to which the card he used is endemically vulnerable”, says Cambridge University’s Professor Ross Anderson, a global expert in bank-related fraud. “It’s something that the banks were trying to overlook. Eventually the bank gave this man his money back.”

Ross Anderson

Professor Anderson is often sought out by fraud victims who need advice. Since 1992, his team at the Cambridge University Computer Laboratory has been investigating and testing the vulnerabilities of payment security. While other centres of expertise rarely publish their findings in the public domain, Professor Anderson’s team is very willing to share with both the research community and the media.

“Once we’ve figured out what’s gone wrong, we write a paper and send it off to various banking regulators, then they can then act as they see fit”, says Professor Anderson.

“Banks are vast bureaucracies, with a dozen layers of management. The only way you can encourage a large slothful corporate to change its ways is to kick it in the balls.”

Research carried out by the group has encouraged businesses to re-think their security and prodded authorities to improve their certification systems. In recent years, Anderson has worked directly with firms such as Google, Symbian and Samsung to make their platforms more secure.

The work has also led to the creation of a spin-out called Cronto, which provides authentication systems for online banking. Cronto was acquired by VASCO Data Security International for £17m in 2013.

Ross Anderson first began working at Cambridge University 23 years ago, after working as a bank security expert in Hong Kong. He initially discovered that the market for consultancy was “sewn up”, but nevertheless found himself looking into the case of Andrew Stone. Stone was eventually convicted of using information on discarded cash machine receipts to take a total of £750,000 from people’s accounts.

Back then, receipts had the customer’s full account number printed on them. Stone had been building access systems for cards with magnetic stripes, and had discovered that if you simply changed the account number stored on the stripe to another account, you could withdraw money using your own PIN. Andrew Stone would pick up the receipt that the customer had just thrown away and encode a card with the person’s account number on it, which he could then use to withdraw money.

“The exploitable vulnerabilities at the beginning were mostly extreme stupidity”, says Anderson.

Working as an expert consultant, he assisted barrister Alistair Kelman in a class action against 13 banks on behalf of 2,000 customers, asking for £2m back. Now banks only print the last four digits of the account number on the receipt.

“I got to sift through several dozen shelf-feet of witness statements, and I wrote a paper about it which appeared in 1993. It brought home to the research community how cryptographic systems fail in real life.

This launched me on the path of being a thorn in the side of the British banking industry.

One of the research group’s most famous discoveries came in 2010, when the team pointed out a notable flaw in the popular EMV smart-card system, known to many as “chip-and-pin”. The system – which was introduced across the UK in 2004 – required users to input a four-digit PIN as well as having a chip on the card read by a point-of-sale terminal. The added PIN was hailed as a way to stop fraudsters from stealing cards and forging the signature, or cloning the magnetic strip on the card to use without the owner being aware of it.

Anderson’s team observed that this process could be disrupted by criminals with as little as an undergraduate-level understanding of electronics. These findings were widely reported in the press, particularly by BBC current affairs show Newsnight.

When a customer taps their PIN into a terminal, the terminal sends a message to the card to confirm it is correct. If it gets a positive response, the transaction continues. However, the Cambridge researchers noted that it was possible to block this response by inserting a device known as a “wedge” between the card and the terminal. The device – which could be constructed using off-the-shelf materials – would then send the terminal a message saying the PIN was correct, regardless of the numbers that were typed in.

In a 2010 report called Chip-and-Pin Is Broken, the group said the vulnerability “exposes the need for further research to bridge the gap between the theoretical and practical security of bank payment systems. It also demonstrates the need for the next version of EMV to be engineered properly”. This work led to changes to EMV in April 2012.

While the banks involved don’t often welcome the attention, Professor Anderson states that all of his team’s work is focused on pointing out issues so that they can be rectified in future. But he also believes that the Financial Conduct Authority needs to lean on the ombudsman to take complaints of bank-related fraud more seriously.

“It’s good practice to shield your PIN at all times. But if you’re an individual, there’s really nothing more you can do about this. Fundamentally, this is a system maintained by the banks. Other than that, the failure is with regulation.

“Banks had been very careful with the truth when it came to the no-PIN chip-and-pin fraud. They said they didn’t know about any cases in the UK, but were perfectly aware of cases in France where people had been prosecuted.”

In past years, the group has unearthed a number of systemic failures in online consumer protection, including in the Payment Services Directive and in the Financial Ombudsman Service. Professor Anderson has been commissioned on three occasions by the US Federal Reserve to write papers for its Payment Systems Economics conferences, which are attended by industry leaders and policymakers from all over the world.

A product used by Barclays has also had a notable impact on security. Following a study of API security, Anderson’s group suggested changes that would make the hardware modules used by banks less vulnerable. Security software firm Cryptomathic hired a member of the group – Dr Mike Bond – to become a security architect in 2006, and said it used the “great insights that arose from the Anderson group” to build a product called the Crypto Service Gateway. CSG has since been adopted by Barclays, where it improves performance and saves more than £1m a year on the development of new applications.

Example of extracting disk image from ATM

As well as shining light on some of the more significant vulnerabilities of transactions, the research has also supported the technology used by spin-out Cronto Limited. Team member Dr Steven Murdoch is the chief security architect of the company, which is now helping to secure online banking in Chile, Switzerland and Germany. The system – which helps to shield consumers from malware – was rolled out to all of Commerzbank’s 11 million retail customers in 2013.

Since 1993, customers around the world have become used to different methods of transferring money, from chip-and-pin to online payments and even contactless transactions. So how have the methods of fraud changed in that time?

“Things have become more industrialised”, says Professor Anderson. “Around 20 years ago, card fraudsters would make their own equipment. Nowadays there are criminal workshops full of people with degrees in electronic engineering that manufacture this stuff, like card-cloning kits, and sell them into underground markets for several thousand pounds.

“The weaknesses we’re noticing now are in many ways a reprise of 20 years ago. There are many gangs – particularly in places like Romania – that rig up ATMs with cameras, and use something called a ‘Lebanese Loop’ to physically capture the card you’ve put the ATM. If you go to an ATM and it eats your card, stand there and call 999 or call up the bank and make sure it’s been cancelled.

“However, some people who do that have found the bad guys come back and take their card even if it’s reported as stolen, as the banks allow it to be used in contactless transaction and still charge the customer. That’s completely wrong.”

Links to Additional Information

Bank Fraud

Chip & pin vulnerability