Search the Community
Showing results for tags 'EMV'.
You may know it by one of many names: EMV, Integrated Chip Cards, or more simply Chip & Pin or Smart Cards… but whatever you call it: it is a hot topic for debate on the subject of credit card fraud. Many folks in the US in particular are unfamiliar with this technology, and many more of us are only familiar with it as a source of frustration when traveling abroad. In this post we will explain the difference between these and traditional credit cards, and why it is being discussed so heatedly in the wake of the Target breach. Would you like thet with stripes or chips? The magnetic stripe technology that we are all so familiar with on the back of our credit cards has been around for over 40 years now. The first iterations were much like the tape used by audiocassettes, in that they contained data that was recorded in variations within a coating of iron oxide (also known as rust, for those of us not conversant in chemistry terms) on plastic strips. Those strips were affixed to cards, which could then be swiped by readers that were able to retrieve the data. Since the beginning, little has changed in the technology behind these cards, and there is very little built in to protect these cards against fraudulent usage. At about the same time magnetic stripe cards were first being introduced, the first patents for chip cards were being filed. But it was not until the early 1990s that these cards were widely used for credit and debit card purposes. The three companies that joined together to do this were Europay, MasterCard and Visa, which is what gives us the name EMV. Rather than storing data on a magnetic stripe, these cards have data on a chip that is affixed to the card. In many countries in the world, this is now the default credit card technology, and payment systems with magnetic stripe readers are becoming increasingly rare. Chip cards are so named because they have a small microprocessor affixed to them, which acts like a small computer. Data on the chip are accessed interactively, and the chip requires specific, expected responses from a card reader in order to reveal its information. This makes cloning of cards significantly more difficult and costly for criminals. The specifics of cards using chips can vary quite a bit. In many cases, the card is “Chip & PIN” which means that the payment process involves reading bank and identity information from the chip, and then the customers must enter their PINs to authenticate their identities. This means that customers are providing two factors of authentication – something the customer has (the card) and something the customer knows (the PIN). Physically, the purchase process would feel very familiar to debit card users in the US, except that the card is “dipped” into the reader rather than being “swiped”. (A very slight difference, except when you have an older card that resists being read as the strip has mostly been rubbed away!) In other cases, a sort of hybrid technology is used, which can be more similar to the traditional “Swipe & Sign” cards. Cards may have a magnetic stripe so that they can be “swiped” for purchases in countries like the US that have not yet migrated to the newer technology. And in some cases there may not be the requirement to use a PIN, and these cards are called “Chip & Signature” cards. How does this help prevent fraud? As readers of this blog may be painful aware, the longer any technology remains unchanged, the more opportunity criminals will have to break any security around that technology. This is precisely what we have seen with the “Swipe & Sign” cards in the US. Criminals have had four decades to understand and learn to steal this information, which leads to a significant amount of fraud. In the case of the recent Target breach, this meant using RAM-scraper malware that lay in wait on Point of Sale (POS) machines, for credit and debit card data to be in memory, so that it could gather and distribute that information to the malware’s controller. This RAM-scraping tactic meant that even if retailers encrypted the data on disk and as the information went across the Internet, it was not protected. This sort of scenario is an inevitable consequence of the use of encryption – when the data are in use, as in the case of viewing or verifying data, the information is temporarily unprotected. Using strong encryption significantly decreases the time during which data are at risk, but many attackers now use malware designed to wait for that very brief window to be opened. The use of EMV cards would not necessarily have protected against an attack using RAM-scraper malware, because not all financial transactions require the presence of a physical credit card. But not having a physical card severely limits its utility to criminals. It is possible to impersonate physical Chip & PIN cards so they can be used more widely, and while this is both difficult and imperfect, the tactic has already been used by criminals for years. While EMV technology has the potential to decrease card fraud, it is not a panacea. The majority of fraud cases in countries using Chip & Pin cards are “card not present” transactions, such as online purchases, where the chip cannot be used for verification. Businesses in Canada have found a way to combat this, which requires cardholders to log into their bank account rather than provide financial information directly to the merchant. Implementation Matters As we can see in the case of the Canadian restrictions, how businesses implement EMV makes a big difference in how well the technology is able to reduce fraud. This is one specific area of concern, when it comes to the way EMV is likely to be adopted in the US. Ideally: A chip is used alone, without also having a magnetic stripe The correct PIN must be entered within a very limited number of attempts A signature must never be accepted in lieu of a PIN Additional measures must be taken to secure card-not-present purchases In the US, what is being proposed is: A chip and magnetic stripe will both be present A signature may be used in lieu of entering a PIN Additional measures will not be mandated As you can see, this scenario is significantly less secure than is ideal. While this will improve card safety to some degree, it will be a fairly minimal improvement that leaves the US lagging behind most of the world. And businesses should be aware that failing to move towards the use of chip readers would mean they are on the hook for more of the liability for fraudulent purchases. In all things relating to security and privacy, the goal is to make accessing our data prohibitively expensive or difficult for our adversaries. And in this way, switching away from Swipe & Sign cards is a step in the right direction. But we should not expect this change to end credit card fraud. Hopefully moving towards Chip & PIN cards is simply a first step in moving towards greater security measures for credit card transactions – one that allows merchants to make the necessary changes at a less-painful pace. Author Lysa Myers, ESET Source
Chip-and-PIN payment cards are coming to the United States after a long head start as a standard card-present payment method in Europe and Asia. Already, retailer Target accelerated its plan to move its branded debit and credit cards to chip-and-PIN, also known as EMV (Europay, MasterCard and Visa), in short order following a devastating data breach during the Christmas shopping season. Other retailers are sure to follow, especially with an October 2015 deadline approaching imposed by Visa where it will institute a liability shift where the party causing a fraudulent transaction will be responsible for losses if chip-and-PIN is not part of the transaction. While chip-and-PIN may shore up some of the authentication anxiety surrounding payment card transactions, it’s not a cure-all for fraud, and it does come with its share of security baggage and vulnerabilities. The latest evidence came in a recently published paper by computer scientists at the University of Cambridge in the U.K. The report describes two critical problems, an implementation flaw and a serious issue in the protocol that the researchers say will be much more difficult to fix. The team Mike Bond, Omar Choudary, Steven J. Murdoch, Sergei Skorobogatov and Ross Anderson said that the chip in EMV cards that generates what is supposed to be an unpredictable number, or nonce, for each transaction to ensure its integrity does quite the opposite because of an implementation flaw. “Some EMV implementers have merely used counters, timestamps or home-grown algorithms to supply this nonce,” the paper said. “This exposes them to a ‘pre-play’ attack which is indistinguishable from card cloning from the standpoint of the logs available to the card-issuing bank, and can be carried out even if it is impossible to clone a card physically.” EMV chips are in place largely to ward off card cloning, which is facilitated much easier by cards with just a magnetic strip storing data. The researchers explain in the paper how attacks can be carried out against ATMs and other payment terminals. “We found flaws in widely-used ATMs from the largest manufacturers,” the paper said. “We can now explain at least some of the increasing number of frauds in which victims are refused refunds by banks which claim that EMV cards cannot be cloned and that a customer involved in a dispute must therefore be mistaken or complicit.” As with other random number generators, the predictability of the number is a serious issue for a determined thief. “This might create the opportunity for an attack in which a criminal with temporary access to a card (say, in a Mafia-owned shop) can compute the authentication codes needed to draw cash from that ATM at some time in the future for which the value of the [unpredictable number] can be predicted,” the paper said. The protocol vulnerability, meanwhile, arose out of studying the problem with random nonce generation wherein an attacker can swap out the random number generated by an ATM or payment terminal with one from a cloned card. “This variant of the pre-play attack may be carried out by malware in an ATM or POS terminal, or by a man-in-the-middle between the terminal and the acquirer,” the paper said. An attacker would have to be in a man-in-the-middle position between the card and payment terminal or between the terminal and the acquiring bank. Malware infecting the terminal can attack the EMV protocol as well, the paper said. “The banks appear to have ignored this, perhaps reasoning that it is difficult to scale up an attack that involves access to specific physical cards and also the installation of malware or wiretaps on specific terminals,” the paper said. “We disagree. The Target compromise shows that criminals can deploy malware on merchant terminals widely and exploit it to earn serious money.” Source