COMP1

Click to E-mail

Vulnerabilities

Opportunities to harvest PINs and clone magnetic stripes

In addition to the track-two data on the magnetic stripe, EMV cards  generally have identical data encoded on the chip, which is read as part of the normal EMV transaction process. If an EMV reader is compromised to the extent that the conversation between the card and the terminal is intercepted, then the attacker may be able to recover both the  track-two data and the PIN, allowing construction of a magnetic stripe card, which, while not usable in a chip and PIN terminal, can be used, for  example, in terminal devices that permit fall-back to mag-stripe  processing for foreign customers without chip cards, and defective  cards. This attack is possible only where (a) the off-line PIN is  presented in plain text by the PIN entry device to the card, where (b)  mag-stripe fall-back is permitted by the card issuer and (c) where  geographic and behavioral checking may not be carried out by the card  issuer. It was claimed that changes specified to the protocol (specifying different card  verification values between the Chip, Magnetic Stripe and the CVV)  rendered this attack ineffective. APACS (the UK payments association)  stated that such measures would be in place from January 2008, although  tests on cards in February 2008 indicated this may have been delayed.

Successful attacks

Conversation capturing is the form of attack that was reported to have taken place against Shell terminals in May 2006, when they were forced to disable all EMV authentication in their petrol stations after more than 1 million BPS was stolen from customers.

In October 2008 it was reported that hundreds of EMV card readers for use in Britain, Ireland, the Netherlands, Denmark, and Belgium had been expertly tampered with in China during or shortly after manufacture so  that details and PINs of credit and debit cards were sent during the 9  months before over mobile phone networks to criminals in Lahore, Pakistan. US National Counterintelligence Executive Joel Brenner said, "Previously only a nation state's intelligence service would have been capable of pulling off this type of operation. It's  scary." Data were typically used a couple of months after the card  transactions to make it harder for investigators to pin down the  vulnerability. After the fraud was discovered it was found that  tampered-with terminals could be identified as the additional circuitry  increased their weight by about 100gms. Tens of millions of pounds  sterling are believed to have been stolen. This vulnerability spurred efforts to implement better control of  electronic POS devices over their entire life cycle, a practice endorsed by electronic payment security standards like those being developed by  the Secure POS Vendor Alliance (SPVA).

Demonstration of PIN harvesting and stripe cloning

Cambridge University researchers Steven Murdoch and Saar Drimer demonstrated in a February 2008 BBC Newsnight program one example attack, to illustrate that Chip and PIN is not  secure enough to justify passing the liability to prove fraud from the  banks onto customers. The Cambridge University exploit allowed the experimenters to obtain both card data to create a magnetic stripe and the PIN.

APACS, the UK payments association, disagreed with the majority of  the report, saying: "The types of attack on PIN entry devices detailed  in this report are difficult to undertake and not currently economically viable for a fraudster to carry out." They also said that changes to the protocol (specifying different card  verification values between the Chip and Magnetic Stripe “ the iCVV)  would make this attack ineffective from January 2008. The fraud reported in October 2008 to have operated for 9 months (see above) was probably  in operation at the time, but was not discovered for many months.

2010: Hidden hardware disables PIN checking on stolen card

On 11 February 2010 Murdoch and Drimer's team at Cambridge University announced that they had found "a flaw in chip and PIN so serious they  think it shows that the whole system needs a re-write" that was "so  simple that it shocked them". A stolen card is connected to an electronic circuit and to a fake card that is inserted into the terminal ("man-in-the-middle attack"). Any 4 digits are typed in and accepted as a valid PIN. A team from the BBC's Newsnight program visited a Cambridge University cafeteria (with permission)  with the system, and were able to pay using their own cards (a thief  would use stolen cards) connected to the circuit, inserting a fake card  and typing in "0000" as the PIN. The transactions were registered as  normal, and were not picked up by banks' security systems. A member of  the research team said, "Even small-scale criminal systems have better  equipment than we have. The amount of technical sophistication needed to carry out this attack is really quite low." The announcement of the  vulnerability said, "The expertise that is required is not high  (undergraduate level electronics) ... We dispute the assertion by the  banking industry that criminals are not sophisticated enough, because  they have already demonstrated a far higher level of skill than is  necessary for this attack in their miniaturized PIN entry device  skimmers." It is not known if this vulnerability has been exploited.

EMVCo disagreed and published a response saying that, while such an  attack might be theoretically possible, it would be extremely difficult  and expensive to carry out successfully, that current compensating  controls are likely to detect or limit the fraud, and that the possible  financial gain from the attack is minimal while the risk of a declined  transaction or exposure of the fraudster is significant.

When approached for comment, several banks each said that this was an industry-wide issue, and referred the  Newsnight team to the banking trade association for further comment.  According to Phil Jones of the Consumers' Association, chip and PIN has helped to bring down instances of card crime, but many cases remain unexplained "What we do know is that we do have cases that are brought forward from individuals which seem quite persuasive."

Because the submission of the PIN is suppressed, this is the exact  equivalent of a merchant performing a PIN bypass transaction, such  transactions will never succeed off-line as a card will never generate an off-line authorization without a successful PIN entry. As a result of  this, the transaction ARQC must be submitted on-line to the issuer who  will know that the ARQC was generated without a successful PIN  submission (since this information is included in the encrypted ARQC)  and hence would be very likely to decline the transaction if it were for a high value, out of character or otherwise outside of the typical risk management parameters set by the issuer.

Originally bank customers had to prove that they had not been  negligent with their PIN before getting redress, but UK regulations in  force from 1 November 2009 placed the onus firmly on the banks to prove  that a customer has been negligent in any dispute, with the customer  given 13 months to make a claim. Murdoch said that "[the banks] should look back at previous  transactions where the customer said their PIN had not been used and the bank record showed it has, and consider refunding these customers  because it could be they are victim of this type of fraud."

2011: CVM downgrade allows arbitrary PIN harvest

At the CanSecWest conference in March 2011, Andrea Barisani and  Daniele Bianco presented research uncovering a vulnerability in EMV that would allow arbitrary PIN harvesting despite the Cardholder  verification configuration of the card, even when the supported CVMs  data is signed. The PIN harvesting can be performed with a chip skimmer. In essence, a CVM list that has been modified to downgrade the CVM to Offline PIN is  still honored by POS terminals despite its signature being invalid.

Home | About Us | Request More Info | POS Systems | Computer Services | EMV Compliance | History | Differences and Benefits | Chip Differences | CNP Transactions | Commands | Transaction Flow | Control of EMV Standard | EMV Documents | Vulnerabilities | USA Implementation | FAQ | Contact Us |

Southernmost POS Systems & Consulting, LLC
a division of
The Whole Nine Yards, LLC

138 East Sandy Circle - Big Pine Key, FL 3304303132
USA Toll Free: 877.771.8226 - Local: 305.433.5542
Fax: 305.851.8035 or 305.489.0365
Cell: 305.924.2781