Payment cards with chips aren't perfect, so encrypt everything, experts say

The EMV or 'chip-and-PIN' system is not without security flaws, researchers warned

There's a push to adopt chip-equipped payment cards in the US following high-profile breaches at large retailers and restaurant chains during the past 12 months, but experts warn that switching to this payment system will not make fraud disappear.

The EMV (Europay, MasterCard and Visa) standard is widely deployed around the world, and for the past 10 years or so it has been the de facto payment card system in Europe, where it's also known as chip-and-PIN. The cards authenticate with ATMs and payment terminals using the combination of a customer PIN and information stored securely on an integrated circuit.

In order to drive EMV adoption in the US, the credit card brands plan to shift liability in October 2015, after which parties that haven't deployed the system will be held liable for fraudulent transactions.

However, the EMV specification suffers from both regulatory and security issues, some of which have already been exploited in real-world attacks, according to Ross Anderson, a security engineering professor at Cambridge University with 25 years of experience in payment systems security.

During a talk at the Black Hat security conference in Las Vegas, Anderson highlighted some of the attacks that are possible against existing EMV implementations. Banks have tried to downplay these as impractical or too complex for cybercriminals to launch, he said.

The "preplay" and "no PIN" attacks are two examples. In a "preplay," a card inserted into a rogue payment terminal can be charged for a transaction that's done with a fraudulent card at a terminal somewhere else in the world. In the "no PIN" attack, a criminal uses a stolen card that's wired to a portable device with a rogue card inserted into it. That lets the attacker bypass PIN verification at POS (point-of-sale) terminals in order to authorize rogue transactions.

More recently, Anderson's team at Cambridge discovered that many EMV-capable ATMs and payment terminals generate random numbers in a predictable manner. This allows someone with temporary access to a credit card, such as a waiter, to calculate authentication codes that then can be used for transactions in the future. Worse, a rogue or compromised POS terminal can generate authentication codes for a card inserted into it, and those codes can later be used to authorize additional rogue transactions.

Some of these attacks don't stem from issues in the EMV standard itself, but rather from the poor implementation of it by payment terminal vendors, according to Anderson. Banks don't have enough incentive to act, because liability for fraud shifts to the merchants if EMV is not used in a transaction and to consumers if EMV is used with the correct PIN number, he said.

That tendency to blame the card owner is based on the premise that since EMV cards -- or rather their chips -- cannot be cloned, if a fraudulent transaction is done with such a card and the correct PIN, the card owner has been negligent.

Whether US banks will try to shift liability to consumers for PIN-authorized EMV transactions remains to be seen, as consumer protection in the US is better than in Europe, Anderson said. EMV adoption in the US will be an interesting experiment because some banks want to implement chip-and-PIN cards, while others favor a chip-and-signature model, Anderson said.

The EMV specification as it exists today is vastly complex, and vendors have made additions on top of it, which means that it's easy to make mistakes when implementing it, Anderson said. Depending on how much attention you pay, you can design a secure system using EMV or an awful one, he said.

Lucas Zaichkowsky, an enterprise defense architect at AccessData whose previous jobs involved investigating credit card breaches and assessing compliance with payment card security standards, agreed with Anderson.

"People think that if we switch to EMV, these breaches will go away, but that's not true," said Zaichkowsky, who also held a presentation about POS system architecture and security at Black Hat. During an EMV transaction, RAM-scraping malware can steal the same data that's on the magnetic stripe if the chip is not implemented correctly, and several banks don't do it properly, he said.

That data can then be used to create counterfeit magnetic stripe cards to conduct fraud in most countries, even those already using EMV because most EMV readers are also configured to accept the magnetic stripe in "fallback mode."

In addition, most EMV-enabled POS terminals support both chip cards and traditional magnetic stripe cards. When you attempt to swipe an EMV card, the payment terminal should refuse it and ask you to insert it in the smart card reader instead. That doesn't always happen, according to Zaichkowsky.

As an example, he said that his credit card was swiped at a POS terminal in Italy because the cashier was used to US cards not having chips, despite his card having one. There was no error and the transaction went through, he said.

Even if everyone in the world would switch to chip-enabled cards and traditional magnetic stripe ones would disappear, fraud would most likely shift from card-present transactions to card-not-present transactions, such as those done online or over the phone, he said.

Fraud statistics up to 2012 actually show that this has happened in Europe since the deployment of EMV, Anderson said.

With an EMV transaction, a compromised POS terminal can still get the credit card number and expiration date, Zaichkowsky said. There are many places where this is all you need to place an order, because they don't ask for the three-digit security code or verify the billing address, he said.

This means that cybercriminals will continue to have an incentive to compromise POS terminals, even with widespread EMV deployment.

The sophisticated EMV attacks that Anderson and his team at Cambridge identified aren't widely used yet, partly because criminals have easier ways to abuse EMV cards today. That's because they're currently designed to also work with ATMs and payment terminals in countries where the system is not deployed, such as the US Information captured from the magnetic stripe of a chip-equipped card can be used to create a counterfeit copy that doesn't have a chip. That cloned card cannot be used in Europe but works in the US, where the chip isn't needed anyway.

The fewer places in the world where cybercriminals can use such cards, the harder it will be for them to steal money from them. That might lead criminals to start using EMV attacks like those described by Anderson.

One technology that has a much better chance of preventing attackers from stealing card data is point to point encryption from the card reader to the payment processor, according to Zaichkowsky.

Security experts have recommended point to point, or end to end, encryption for card-present payments for years. Adoption has been slow because it requires replacing card readers and PIN pads with new ones that support the technology, a significant investment that most merchants were not prepared to make.

However, now that many of them will have to change their terminals anyway in order to support EMV, it would be better if they also took the opportunity to choose terminals that encrypt the card data at the reader, Zaichkowsky said.

Join the CSO newsletter!

Error: Please check your email address.

Tags AccessDatasecuritydata breachdata protectionCambridge Universityfraud

More about AccessDataCambridge UniversityVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place