Cryptogram Replay

Payment cryptogram (ARQC) is the core component of chip/EMV security features. Main security features that were introduced along with chip/EMV are:

 - cardholder authentication (PIN)

 - card authentication (preliminary offline data authentication on the payment terminal)

 - transaction authorization. 

Transaction authorization is a process when the card requests a set of fields (they have names like PDOL, CDOL1, CDOL2 depending on the card brand, payment process step, etc) and sign these fields along with other essential fields stored on the card itself, such as Transaction Counter (ATC) using 3DES. On the issuer's side, the correctness of the signed transaction will be checked on the Hardware Security Module (HSM). This is proof of the integrity of the transaction - if any essential fields such as amount or currency will be tampered by attackers, the cryptographic checksum will fail, and the transaction will be rejected. 

However, as long as hackers know all cryptogram input (amount, currency, date, etc.), they can precalculate the cryptogram in advance and use it without having an actual card. The ATC (Application Transaction Counter) field was implemented to mitigate this risk. Each new transaction will have higher ATC than previous, and the issuer should not allow transactions with ATC out of order. In this case, if someone will prerecord transaction cryptograms, there will be a very limited window when these cryptograms can be used - until the victim itself will use the card next time. But as some point because of false rejections of genuine transactions due to some offline delays, this check became redundant for many banks, and official EMVCo statement is that "declining transactions based on the ATC being out of sequence could result in unnecessary declined".

Links: 

• https://www.cl.cam.ac.uk/~osc22/docs/preplay_oakland14.pdf - analysis of the replay attack, which has taken place on the HSBC card in 2011 on Malta

• https://i.blackhat.com/eu-19/Wednesday/eu-19-Galloway-First-Contact-Vulnerabilities-In-Contactless-Payments-wp.pdf - modern overview or ARQC replay attacks for NFC-enabled cards

• https://www.blackhat.com/docs/us-17/thursday/us-17-Yunusov-The-Future-Of-Applepwn-How-To-Save-Your-Money.pdf  - similar attack has been presented at BlackHat USA in 2017. Cryptogram replay was possible using Apple Pay on-site/in-app payments. Apple Pay is still affected by this attack, most of affected merchants and payment service providers still don't check cryptograms against replay. However, MasterCard has implemented their security checks therefore this attack can't be done with MC cards.