LAS VEGAS – The inevitable changeover from magnetic strip-based payment cards to EMV, or chip-and-PIN, is coming for consumers and merchants in the United States. And coming along with it are a raft of weaknesses and real-world attacks that shoot holes in the presumption that EMV will remedy credit card fraud.
Cambridge University professor Ross Anderson, a cryptography expert who has spent more than a decade examining the various EMV protocols, vulnerabilities and hacks, today cautioned during a talk at the Black Hat 2014 conference that American banks and merchants heed these lessons and prepare accordingly.
“We’ve been using EMV in the U.K. for 11 years and have a lot of experience understanding how these things break,” Anderson said. “When this started, we thought we knew what the shortcuts were and what fraud would be, but reality was quite different.”
Accelerating the change is an October 2015 deadline imposed by Visa when it will institute a liability shift where the party causing a fraudulent transaction will be responsible for losses if chip-and-PIN is not part of the transaction. Not only does this incentivize the payment industry to move to EMV, but also could accelerate the pace of attacks and attention given to chip and PIN insecurity in the U.S.
Data stored on magnetic-strip credit cards, for example, is simpler to copy and steal than the data on a card chip, Anderson said. The card chip is supposed to add integrity to transactions in that it authenticates the card as the user enters a PIN, which is verified by the chip at the payment terminal. The end result was supposed to be a drop in fraud, but as Anderson pointed out during a brief history lesson, different types of fraud spiked as hackers learned the ropes with EMV.
For example, fraud climbed in card-not-present transactions, such as those carried out in online stores. In parallel, counterfeiting of cards went down because it’s difficult to clone card chips, Anderson said. But then it spiked when hackers realized that they could just steal card and PIN details from weak or fraudulent terminals and just use those credentials in the United States and other locations worldwide where magnetic strip cards are still the norm.
“Banks believed that replacing magnetic strips with an alternative such as chip and PIN that they would be able to cut fraud,” Anderson said. “Fraud went up, however, then down, and now it’s up again. The overall effect is as if they’ve taken a bulldozer to the landscape; the river of crime is still flowing, just from slightly different channels.”
As with any other brand of attacker, fraudsters seek the path of least resistance. Anderson’s Cambridge students, for example figured how to manipulate supposedly tamper resistant PIN Entry Devices (PED) through a pinhole on the underside of the terminal. Using a paper clip through the opening and dropping a contact onto the serial line that carries the PIN and credit card data to and from the pin pad, the students were able to steal everything with 10 minutes of work and a few dollars of supplies. This was a blow to PED makers such as Ingenico whose devices zero-out the PED’s cryptographic keys if circuits are interrupted through tampering, essentially turning them into bricks. VISA, for one, estimated that it should cost $25,000 per unit to defeat a PED; a theory Anderson’s team smashed.
In the real world, criminals were already figuring out some of the same attack principles, Anderson said. Two brothers in Dubai had access to terminals in a factory there, and were adding “wicked electronics” to them, as Anderson put it, that sent card and PIN details via SMS to a criminal gang in Karachi, Pakistan. The brothers were arrested in July 2011, but were not convicted because, Anderson said, the banks presented no evidence against them out of embarrassment.
Shortly thereafter, Cambridge researchers came up with another academic attack they called the No-PIN Attack that exploits a flaw in chip and PIN systems that allows a terminal to think the correct PIN was entered and the card to think a signature was entered authenticating the transaction. The criminal has no PIN, yet the bank and merchant verifies the transaction by PIN.
“In theory, it’s a simple attack: Put a device between the card and the PED and tell each end it’s a valid transaction,” Anderson said. “If you compare the card and PED logs, you can detect this attack but it’s harder than you might think.”
A newer attack being studied by Anderson’s team involves the ability to predict random numbers send by the PED to the card that can be used to pre-compute an authentication request cryptogram.