MasterCard may have made a mistake when it rolled out two-factor security for online banking without exposing the technical standards behind it to public scrutiny.

• Too late to fix weaknesses
• Chip and Pin underwent public scrutiny
• Effectiveness of CAP under review
• CAP protocol is sound
• Real-time man in the middle attacks
• Some of the vulnerabilities in MasterCard's PAC standard revealed

NatWest and Barclays have sent about five million readers, based on the MasterCard standard, to their customers so far. The card readers, such as the Pinsentry device from Barclays, read the chips in bank cards to generate a single-use secure password.

But the technology has come under fire from researchers at Cambridge University, who published a paper last month outlining what they claim are a series of serious security risks posed by the two-factor technology.

Cambridge University researcher Steven Murdoch says it was a mistake for MasterCard not to expose its Chip Authentication Program (CAP) to public scrutiny.

Too late to fix weaknesses

Now that the technology is in use it is too late to fix weaknesses, he says. "It is an accepted principle that security through obscurity should not be relied upon.

"By publishing the specification of CAP, researchers and other interested parties would be able to identify weaknesses and propose improvements, before the system was deployed," he says.

Murdoch and his colleagues at Cambridge University reverse-engineered the card readers from NatWest and Barclays. They discovered, among other security risks, that the technology was vulnerable to real-time man-in-the middle attacks (see box), tampering by criminals and sophisticated phishing attacks.

Murdoch says it is essential that standards such as CAP are made public before they are used. All the more so when organisations that are not involved in its design rely on the system working properly.

"Customers' accounts are being protected by CAP, but they [customers] are not being told how CAP works and independent parties cannot examine its security," he adds.

Murdoch says although it is not technically hard to fix the problems exposed by Cambridge University, it will be expensive and could cause embarrassment to banks that have rolled the systems out. Banks would need to replace card readers, and probably the cards too, which he says could take several years.

Chip and Pin underwent public scrutiny

In contrast to CAP, the chip and Pin specification, which allows retailers to verify the identity of credit and debit card holders through a reader, was largely exposed to public scrutiny. Chip and Pin was a UK government initiative that used a security standard from Europay, MasterCard and Visa, known as EMV,

It has been subject to study and improvement since the release of its initial version in 1996, says Murdoch. "The security of [the part made public] appears to have been reasonably sound by the time it was deployed. Unfortunately, not all of chip and Pin was made public, and flaws have been found in the remainder, but only after deployment."

Murdoch says CAP, as it is used in the UK, is too easy a target for fraudsters. "As more banks use CAP, there will be more temptation for criminals to exploit its weaknesses, so deploying a more secure system would be advisable."

MasterCard would not comment on why it decided to keep the standard secret, but did say the principle behind CAP is sound.

Effectiveness of CAP under review

"Since the initial roll-outs, MasterCard has continued to review effectiveness of the standard, and shares, on a regular basis, best practices on the use and deployment of CAP with all the stakeholders of the CAP implementation chain," adds MasterCard.

The Association of Payments and Clearing Services (APACS), the trade association for the payments industry, says the findings of the research should not get in the way of the fact that devices are out there, being used and reducing fraud.

"If in the longer term the security of the devices is threatened, then of course the technology and the standard that goes with it will be reviewed," says APACS.

CAP protocol is sound

In contrast to Cambridge University's findings, Richard Brain, technical director at security supplier Procheckup, believes publishing the CAP standard would have been a mistake. "Certainly the CAP standard has been weakened because of this research, though not fatally."

He says banks can add more security and checks to their websites to compensate for any exposed weaknesses.

"The report was impressive technically from the reverse engineering viewpoint though it contained little to concern me over the CAP protocol," Brain adds.

Whether or not to publish details of any security standard is a matter to debate. Should you open it up and let people test it out, or should you keep it secret? Either way, determined criminals have the time and resources to crack the code.