Chip and PIN is Broken

Chip and PIN is Broken

EMV

Security

Allows PIN-based authentication, even for offline transactions

Makes card cloning harder

What went wrong?

transaction authorization

amount, currency, date, nonce, TVR, etc

• did PIN verification fail?
• was PIN required and not entered?
• ...

"When a card company receives a claim about a fraudulent transaction from a customer, they will always rely on primary evidence to review the facts of the case and would never use a paper receipt (which in fact they could only see if the customer provided the copy) for evidence as suggested."

"Neither the banking industry nor the police have any evidence of criminals having the capability to deploy such sophisticated attacks. Our research suggests that criminal interest in chip-based attacks is minimal at this time as they are unable to find ways to make sufficient amounts of money from any of the plausible attack scenarios."

"The industry is confident that the forensic signature of such an attack is easily detectable within the data available at the time of the transaction."

In addition to the TVR, the card produces a CVR (card verification results) and the terminal may optionally produce a CVMR (cardholder verification method result)

In our attack, the CVR will not match the CVMR

We hear that the industry are working on a defence based on comparing the CVR and CVMR, but it is not quite that simple:

• Sometimes the CVMR is not produced by the terminal (it is optional)
• Sometimes it is produced but wrong (it has not been considered useful, until now)
• Sometimes it is produced but dropped or corrupted on the way back

How is ATM fraud happening

The EMV protocol

and its flaws

A simplified EMV

transaction

How the attack

works

If the PIN is not required by the terminal, the TVR is all zeros

If the PIN is entered correctly, the TVR is still all zeros

A man-in-the middle tell the card that the PIN was not required

and the terminal that the PIN was correct

Now the criminal can use a stolen card,

give the wrong PIN to the terminal

and still have the transaction succeed

customer enters PIN

criminal enters 0000

card authentication

Card to Terminal: card details, digital signature

0000

Terminal to MitM: entered by criminal

Terminal to Card: PIN as entered by customer

cardholder verification

MitM to Terminal: PIN correct

Card to Terminal: PIN correct (yes/no)

yes!

card authentication

Messages relayed without modification

cardholder verification

Card: No (not attempted)

amount, currency, date, nonce, TVR, etc

Terminal: No (verification succeeded)

Card: No (not required)

Terminal to Card: description of transaction

Terminal: No (was entered)

transaction authorization

Messages relayed without modification

Terminal to Card: description of transaction

transaction authorization

Card to Terminal: MAC over transaction and other details

MAC and transaction sent to bank for verification

online transaction authorization

Bank to Terminal: transaction authorized (yes/no)

Steven J. Murdoch, Saar Drimer, Ross Anderson, Mike Bond

Lost and stolen

down 53% to £54.1m

Mail non receipt

down 86% to £10.2m

Counterfeit

up 31% to £169m

online banking

online banking

up 330% to £52.5m

WRONG

card not present

card-not present

up 118% to £328.4m

does not affect

checks

checks

down 9% to £41.9m

False applications

False applications

up 28% to £47.4m

Effect on fraud

WRONG

Total fraud in the UK

Responses

Data from APACS (2009)

dip in 2005—2006,

but up 25% to £704.3m

EuroPay

MasterCard

Visa

WRONG

0x08 = PIN entry required, PIN pad present, but PIN was not entered

EMV is deployed or in planning in most countries

except the US, but vendors are working hard to change this

They were wrong

Credit and Debit

Point-of-sale and ATM

Smart card based payments

Used on 750m cards, billions of pounds, euros, dollars

BBC Newsnight, February 2010

Many customers claim that their card has been stolen and used

Banks claim EMV is infallible, so victims do not get their money back

44% according to latest figures