With the right equipment, the victims' details could be gathered and sent over wireless networks to a co-conspirator nearby, who makes a transaction using those details while the victim is making a transaction of their own. "In [our example], the two shops were one door away from each other. That worked pretty well but you could do with GPRS or GSM and send to the other side of the world," Murdoch explained.
Can the attack be prevented?
Murdoch offers four suggestions to remedy this vulnerability: make the terminal tamper-resistant, physically examine the card to check for wires which can indicate this type of fraud is being carried out, ensure that the numbers embossed on the card match the receipt, or finally, impose timing constraints on the authentication as, for the attack to work, the fraudulent transaction must occur during the time in which the legitimate transaction is happening.
"That is, making sure that the real card responds [to the terminal] within a certain time period. This is good start because no information can travel faster than the speed of light. And if you can measure the distance between the real card and real terminal, if this is more than a few centimetres, then something is wrong," he said.
According to his and Drimer's research, the authentication process under the chip and PIN authentication protocol can take up to three seconds to complete.
"This is huge. [At the speed of light] you can go round earth three times and to the moon but you can't quite get to Mars, so Martian smartcards are safe," he said.
"It's not even possible with existing smartcard protocol to reduce the timing requirement to a sufficiently low level that this attack doesn't work," he said.
The problem can however be fixed by what the scientists call a "distance bounding protocol" which uses a smaller and faster "one bit challenge and a one bit response".
The proposed protocol works by the bank sending a single bit challenge to a legitimate card to unlock the encryption key which both parties have.
"The response that comes back can only be given by real card," explained Murdoch. "So even in a relay attack the right data will come back but it will be too slow."








I didn't know there were banks on Mars, I bet they have better interest rates than us though.