Chip and PIN is Broken EMV Smart card based payments Credit and Debit Point-of-sale and ATM Makes card cloning harder Allows PIN-based authentication, even for offline transactions EMV is deployed or in planning in most countries except the US, but vendors are working hard to change this online banking card-not present checks False applications Security does not affect Lost and stolen down 53% to £54.1m Mail non receipt down 86% to £10.2m Counterfeit up 31% to £169m card not present False applications online banking checks up 330% to £52.5m up 118% to £328.4m down 9% to £41.9m up 28% to £47.4m Effect on fraud Total fraud in the UK dip in 2005—2006,
but up 25% to £704.3m card authentication cardholder verification transaction authorization Card to Terminal: card details, digital signature Terminal to Card: PIN as entered by customer Card to Terminal: PIN correct (yes/no) Terminal to Card: description of transaction Card to Terminal: MAC over transaction and other details customer enters PIN MAC and transaction sent to bank for verification Bank to Terminal: transaction authorized (yes/no) online transaction authorization A simplified EMV
transaction amount, currency, date, nonce, TVR, etc did PIN verification fail?
was PIN required and not entered?
What went wrong? If the PIN is not required by the terminal, the TVR is all zeros
If the PIN is entered correctly, the TVR is still all zeros A man-in-the middle tell the card that the PIN was not required
and the terminal that the PIN was correct Now the criminal can use a stolen card,
give the wrong PIN to the terminal
and still have the transaction succeed MAC and transaction sent to bank for verification Terminal to MitM: entered by criminal How the attack
works Card to Terminal: MAC over transaction and other details transaction authorization did PIN verification fail?
was PIN required and not entered?
Bank to Terminal: transaction authorized (yes/no) MitM to Terminal: PIN correct card authentication amount, currency, date, nonce, TVR, etc criminal enters 0000 Card to Terminal: card details, digital signature online transaction authorization Terminal to Card: description of transaction cardholder verification card authentication Messages relayed without modification cardholder verification transaction authorization Messages relayed without modification 0000 yes! Card: No (not required) Terminal: No (was entered) The EMV protocol
and its flaws They were wrong Used on 750m cards, billions of pounds, euros, dollars Banks claim EMV is infallible, so victims do not get their money back Many customers claim that their card has been stolen and used BBC Newsnight, February 2010 EuroPay MasterCard Visa Steven J. Murdoch, Saar Drimer, Ross Anderson, Mike Bond Responses "When a card company receives a claim about a fraudulent transaction from a customer, they will always rely on primary evidence to review the facts of the case and would never use a paper receipt (which in fact they could only see if the customer provided the copy) for evidence as suggested." WRONG "The industry is confident that the forensic signature of such an attack is easily detectable within the data available at the time of the transaction." WRONG 0x08 = PIN entry required, PIN pad present, but PIN was not entered In addition to the TVR, the card produces a CVR (card verification results) and the terminal may optionally produce a CVMR (cardholder verification method result) In our attack, the CVR will not match the CVMR We hear that the industry are working on a defence based on comparing the CVR and CVMR, but it is not quite that simple:
Sometimes the CVMR is not produced by the terminal (it is optional)
Sometimes it is produced but wrong (it has not been considered useful, until now)
Sometimes it is produced but dropped or corrupted on the way back How is ATM fraud happening Card: No (not attempted) Terminal: No (verification succeeded) 44% according to latest figures Data from APACS (2009) "Neither the banking industry nor the police have any evidence of criminals having the capability to deploy such sophisticated attacks. Our research suggests that criminal interest in chip-based attacks is minimal at this time as they are unable to find ways to make sufficient amounts of money from any of the plausible attack scenarios." WRONGSee the full transcript