Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Man-in-the-Middle attacks on EMV: What Happens When You Forget About the User

Presentation at Design and Security of Cryptographic Algorithms and Devices, 29 May - 03 June 2011, Albena, Bulgaria: https://www.cosic.esat.kuleuven.be/ecrypt/courses/albena11/index.shtml
by

Steven Murdoch

on 11 September 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Man-in-the-Middle attacks on EMV: What Happens When You Forget About the User

EMV
Smart card based payments
Credit and Debit
Point-of-sale and ATM
EMV is deployed or in planning in most countries
except the US, but vendors are working hard to change this
card authentication
cardholder verification
transaction authorization
Card to Terminal: card details, digital signature
Terminal to Card: PIN as entered by customer
Card to Terminal: PIN correct (yes/no)
Terminal to Card: description of transaction
Card to Terminal: MAC over transaction and other details
customer enters PIN
MAC and transaction sent to bank for verification
Bank to Terminal: transaction authorized (yes/no)
online transaction authorization
A simplified EMV
transaction
amount, currency, date, nonce, TVR, etc
did PIN verification fail?
was PIN required and not entered?
...
What went wrong?
If the PIN is not required by the terminal, the TVR is all zeros
If the PIN is entered correctly, the TVR is still all zeros
A man-in-the middle tell the card that the PIN was not required
and the terminal that the PIN was correct
Now the criminal can use a stolen card,
give the wrong PIN to the terminal
and still have the transaction succeed
MAC and transaction sent to bank for verification
Terminal to MitM: entered by criminal
How the attack
works
Card to Terminal: MAC over transaction and other details
transaction authorization
did PIN verification fail?
was PIN required and not entered?
...
Bank to Terminal: transaction authorized (yes/no)
MitM to Terminal: PIN correct
card authentication
amount, currency, date, nonce, TVR, etc
criminal enters 0000
Card to Terminal: card details, digital signature
online transaction authorization
Terminal to Card: description of transaction
cardholder verification
card authentication
Messages relayed without modification
cardholder verification
transaction authorization
Messages relayed without modification
0000
yes!
Card: No (not required)
Terminal: No (was entered)
The No-PIN attack
They were wrong
Used on 750m cards, billions of pounds, euros, dollars
Banks claim EMV is infallible, so victims do not get their money back
Many customers claim that their card has been stolen and used
BBC Newsnight, February 2010
EuroPay
MasterCard
Visa
Card: No (not attempted)
Terminal: No (verification succeeded)
44% according to latest figures
Letter denying refund for disputed transactions (American Express)
Example of revised terms and conditions for online purchases (Royal Bank of Scotland)
Card-not-present
Counterfeit
Source: APACS 2010
Man-in-the-Middle Attacks on EMV: What Happens When You Forget About the User
Steven Murdoch
Online banking
up 14% in 2009
work with Saar Drimer,
Mike Bond, Omar Choudary, Ross Anderson
www.lightbluetouchpaper.org
card authentication
cardholder verification
transaction authorization
Card to Terminal: card details, digital signature
Terminal to Card: PIN as entered by customer
Card to Terminal: PIN correct (yes/no)
Terminal to Card: description of transaction
Card to Terminal: MAC over transaction and other details
customer enters PIN
MAC and transaction sent to bank for verification
Bank to Terminal: transaction authorized (yes/no)
online transaction authorization
A simplified EMV
transaction
amount, currency, date, nonce, TVR, etc
did PIN verification fail?
was PIN required and not entered?
...
What went wrong?
MAC and transaction sent to bank for verification
Terminal to MitM: PIN entered by criminal
How the attack
works
Card to Terminal: MAC over transaction and other details
transaction authorization
did PIN verification fail?
was PIN required and not entered?
...
Bank to Terminal: transaction authorized (yes/no)
MitM to Terminal: PIN correct
card authentication
amount, currency, date, nonce, TVR, etc
criminal enters PIN
Card to Terminal: card details, digital signature
online transaction authorization
Terminal to Card: description of transaction
cardholder verification
Card: No (not required)
Terminal: No (was entered)
The Relay Attack
Card: No (not attempted)
Terminal: No (verification succeeded)
Evidence
No display
Pay £5?
Pay £5,000?
Responses
"When a card company receives a claim about a fraudulent transaction from a customer, they will always rely on primary evidence to review the facts of the case and would never use a paper receipt (which in fact they could only see if the customer provided the copy) for evidence as suggested."
WRONG
"The industry is confident that the forensic signature of such an attack is easily detectable within the data available at the time of the transaction."
WRONG
0x08 = PIN entry required, PIN pad present, but PIN was not entered
"Neither the banking industry nor the police have any evidence of criminals having the capability to deploy such sophisticated attacks. Our research suggests that criminal interest in chip-based attacks is minimal at this time as they are unable to find ways to make sufficient amounts of money from any of the plausible attack scenarios."
WRONG
"It is the publication of this level of detail which we believe breaches the boundary of responsible disclosure. Essentially, it places in the public domain a blueprint for building a device which purports to exploit a loophole in the security of chip and PIN.
...
Consequently, we would ask that this research be removed from public access immediately and would hope that you are able to give us comfort about your policy towards future disclosures."
UK Cards Association, February 2010
December 2010
UK Cards Association
"Second, you seem to think that we might censor a student’s thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values.
Ross Anderson
University of Cambridge
Downloads of
Omar's thesis
(per hour)
Recognize conflict in discovery process
Shopkeeper relies on untrustworthy receipt
Customer relies on untrustworthy display
Full transcript