EMV Flaw: Still at Large?Experts Weigh Risks Posed to Banks, Consumers
Four years after criminals exploited flaws related to the EMV security protocols to commit as much as 600,000 euros ($656,000) in fraud, security experts say that the underlying vulnerability remains present (see How Criminals Cracked EMV). But payment card issuers and industry representatives contend that the related vulnerability has been successfully mitigated and note that no successful copycat attacks have ever been seen.
News of the related fraud spree first came to light in October, when French researchers published a paper detailing their digital forensic analysis of the 2011 crimes. The researchers, who were commissioned by French authorities after the fraud was detected, found that a gang of criminals had "clipped" - removed - smartcard chips from genuine cards; those chips are designed to authenticate the card. By adding the chips to homebuilt cards and making use of a second chip - either on the card or connected to it via wires up their sleeve - they were able to subvert the cardholder-authorization process by executing a successful man-in-the-middle attacks against POS terminals.
"The fix is to turn on strict checking and verify that the card and the PED had the same view of the transaction."
To block repeat attacks, the French researchers report that Cartes Bancaires - France's national interbank network - added multiple countermeasures, including a new Combined Data Authentication mode, a.k.a. "strict checking," which requires online verification of all transactions.
But in the wake of the researchers' report, one banking official from Malaysia - which is currently transitioning from chip-and-signature cards to chip-and-PIN cards, contacted me to ask exactly how this flaw has been either fixed outright or mitigated: "I'd like to clarify on what 'fixed' in this case meant - were the countermeasures specific to the defrauded bank? Or was the EMV specifications updated to include the countermeasures? ... I need to understand if we will be exposed to this risk in the near future."
Full Fix: Strict Checking
There is a full fix for the related vulnerability. "The fix is to turn on strict checking and verify that the card and the PED [PIN entry device] had the same view of the transaction," says Ross Anderson, a professor of security engineering at the University of Cambridge.
But he tells me the fix has not been widely adopted. "The flaw hasn't been fixed in the U.K., except by HSBC," he adds. "Most banks seem to be happy to take the risk - which is largely borne by customers anyway." That's a reference to many European banks' terms and conditions, which posit that because EMV has eliminated card cloning, consumers must be at fault for any card-present transactions that were authenticated.
Tom Wills, a Singapore-based director at the consultancy Ontrack Advisory, also notes that while CDA mitigates the vulnerability, it "only works when it's turned on, and it's not in widespread use today." As a result, "in practical terms, the vulnerability is still very much out there."
No Copycat Crimes Seen
A Visa spokeswoman, however, contends that the problem exploited by the European fraudsters has been mitigated. "This was an isolated incident, and in the five years since it occurred, worldwide improvements in telecommunications and the resulting decline in 'offline' transactions, which are not authorized in real time by the issuing financial institution, have been effective in mitigating against this issue," she tells me.
EMVCo - which manages the EMV specifications - as well as MasterCard and the U.K. Card Association didn't immediately respond to a request for comment.
But the Visa spokeswoman says EMVCo now provides tools to developers that are designed to mitigate the vulnerability described by the French researchers and that Visa also now employs additional defenses. "Visa implemented a zero floor limit for contact-chip and magnetic-stripe-read transactions in a majority of Visa Inc. countries, meaning that transactions of any amount must request online authorization," she says. "This change to Visa's rules effectively mitigated the risk posed by so-called 'man in the middle' or 'wedge' attacks."
Strict Checking: Pros and Cons
Why not simply implement CDA - strict checking - across the globe?
Wills says that CDA works best in environments where all cards and readers are CDA-compatible. Unfortunately, when CDA-compatible cards are used in non-CDA environments, the risk of legitimate transactions failing increases. "Practically speaking, that means you would have to implement CDA in 100 percent of cards and terminals in a given market," he says. "That would be great from a security point of view, but when a cardholder from that market traveled to another country where CDA wasn't in place, then that wouldn't be so great."
As a result, many banks still use static data authentication, or SDA, which is less secure but also less computationally intensive, meaning it won't slow transaction speed. "That's seen as undesirable, especially during this early stage when the industry is trying to promote a new way of paying to sometimes non-receptive consumers," Wills says.
In recent years, researchers - and criminals - have identified multiple ways in which EMV-compatible POS systems can be subverted. Anderson and his colleagues in 2014, for example, demonstrated a "chip and skim" attack that could be used to exploit some types of POS devices and ATMs that failed to use sufficiently random numbers to relay back to the banking network to identify a card being used at a POS device. As a result, attackers could deduce the card authentication algorithm and use it to spoof legitimate cards.
University of Surrey computer science professor and cybercrime expert Alan Woodward says this type of research remains vital, so that EMV-related implementations can continue to be better locked down.
Such research is also a reminder that EMV, which is still in the process of being implemented in the United States, is not foolproof, Wills from Ontrack Advisory tells me. "Despite what we might hear from some proponents of EMV, it's not unsinkable - far from it, and we're going to see more exploits emerge in the future as smart and motivated criminal hackers diligently work to break the protocol," he says. "Like all security controls, without exception, EMV technology can only do its job properly if it's deployed in the context of a layered, defense-in-depth security architecture."
The card brands likewise note that it's important for card issuers to not just rely on EMV, but to also employ tokenization and other controls to better secure payment card data. Visa's spokeswoman, for example, says it also analyzes "up to 500 different data elements in real time - including geo-location, device ID, and IP addresses - to more accurately identify and prevent fraud."