BCS Hertfordshire: Chip & PIN – 5 years on

EMV

What went wrong?

transaction authorization

amount, currency, date, nonce, TVR, etc

• did PIN verification fail?
• was PIN required and not entered?
• ...

"When a card company receives a claim about a fraudulent transaction from a customer, they will always rely on primary evidence to review the facts of the case and would never use a paper receipt (which in fact they could only see if the customer provided the copy) for evidence as suggested."

"The industry is confident that the forensic signature of such an attack is easily detectable within the data available at the time of the transaction."

"Neither the banking industry nor the police have any evidence of criminals having the capability to deploy such sophisticated attacks. Our research suggests that criminal interest in chip-based attacks is minimal at this time as they are unable to find ways to make sufficient amounts of money from any of the plausible attack scenarios."

December 2010

www.lightbluetouchpaper.org

The EMV protocol

and its flaws

A simplified EMV

transaction

How the attack

works

If the PIN is not required by the terminal, the TVR is all zeros

If the PIN is entered correctly, the TVR is still all zeros

A man-in-the middle tell the card that the PIN was not required

and the terminal that the PIN was correct

Now the criminal can use a stolen card,

give the wrong PIN to the terminal

and still have the transaction succeed

customer enters PIN

criminal enters 0000

card authentication

Card to Terminal: card details, digital signature

0000

Terminal to MitM: entered by criminal

Terminal to Card: PIN as entered by customer

cardholder verification

MitM to Terminal: PIN correct

Card to Terminal: PIN correct (yes/no)

yes!

card authentication

Messages relayed without modification

cardholder verification

Card: No (not attempted)

amount, currency, date, nonce, TVR, etc

Terminal: No (verification succeeded)

Card: No (not required)

Terminal to Card: description of transaction

Terminal: No (was entered)

transaction authorization

Messages relayed without modification

Terminal to Card: description of transaction

transaction authorization

Card to Terminal: MAC over transaction and other details

MAC and transaction sent to bank for verification

online transaction authorization

Bank to Terminal: transaction authorized (yes/no)

Chip and PIN: 5 Years On

Steven Murdoch

Card-not-present

work with Saar Drimer,

Mike Bond, Omar Choudary, Ross Anderson

Example of revised terms and conditions for online purchases (Royal Bank of Scotland)

Counterfeit

Letter denying refund for disputed transactions (American Express)

Online banking

up 14% in 2009

WRONG

Source: APACS 2010

WRONG

Responses

UK Cards Association, February 2010

EuroPay

MasterCard

Visa

EMV is deployed or in planning in most countries

They were wrong

except the US, but vendors are working hard to change this

Credit and Debit

Point-of-sale and ATM

Smart card based payments

"Second, you seem to think that we might censor a student’s thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values.

"It is the publication of this level of detail which we believe breaches the boundary of responsible disclosure. Essentially, it places in the public domain a blueprint for building a device which purports to exploit a loophole in the security of chip and PIN.

...

Consequently, we would ask that this research be removed from public access immediately and would hope that you are able to give us comfort about your policy towards future disclosures."

WRONG

0x08 = PIN entry required, PIN pad present, but PIN was not entered

Used on 750m cards, billions of pounds, euros, dollars

Ross Anderson

University of Cambridge

Many customers claim that their card has been stolen and used

UK Cards Association

BBC Newsnight, February 2010

Banks claim EMV is infallible, so victims do not get their money back

Downloads of

Omar's thesis

(per hour)

44% according to latest figures