21
Dec
13

EMV And The Target Breach

There are a lot of people now pointing to the Europay MasterCard Visa (EMV) card (aka “Chip and PIN”) as the savior from breaches such as those at Target and I am sure Visa and MasterCard are very pleased with that fact. Well, I hate to burst your bubble, but if the US was only using EMV like Europe and Canada, it probably would have had only a minor impact.

Are you stunned by that statement? After all, that is not how Visa and MasterCard are portraying EMV. If you read their media statements, they imply that EMV is the answer to these breaches.

To make sure I was describing the security features of EMV correctly, I reached out to my friend and EMV expert Andrew Jamieson, Security Laboratories Manager, at Underwriters Laboratories – Transaction Security in Kew, Australia. Underwriters Laboratories tests and certifies a lot of things, one of which is card terminals (magnetic stripe and EMV) to the PCI standards. As such Andrew has a lot of knowledge in the area of EMV and how it works.

I asked whether or not EMV cards are encrypted.

“EMV cards are not encrypted, per se, but instead store a couple of secret keys which are used as part of the authentication of the entire transaction. All card data can be output from the card in the clear – PAN, CVV, etc – except for the customer PIN and the secret keys. The CVV will also be different from that on a magnetic stripe, either static (called an iCVV) or can also be a dynamic value that changes with each transaction (dCVV).”

Well there is a piece of interesting news. While the transaction gets encrypted with the secret keys, an EMV card would still provide some information in a Target-like breach.

Then I asked if there is a risk even with EMV.

“So, any chip based transactions from an exposure such as the Target one would only have exposed the PAN (technically, the PAN on the card can be different from the PAN on the face/track, but in reality this never happens), not the full track. As the CVV would not have been exposed, the PAN would have limited value.”

If the magnetic stripe was not present, the CVV would not be required or recorded in the chip, so only the iCVV or dCVV would be available and those would not be usable as the code printed on the card would not match either of those values. Therefore the information gathered would not allow for the cloning of cards because the information recorded in the chip is not the same as the information that is printed on the physical card. But this should not be a surprise because that was what the EMV standard was designed to do, prevent the cloning of cards.

However in a Target-like breach where the terminal and/or POS system were compromised, the chip would have still given up enough information to be used in card not present transactions such as those conducted via eCommerce. As a result, the attackers would be limited to only defrauding online merchants but that is where most card fraud is being committed.

EMV is not a “silver bullet” such as the card brands like to imply. Yes, it is better than the magnetic stripe, but it does nothing to stem the tide of the growing fraud in online transactions. There are a number of new technologies on the horizon that will minimize the fraud risk of using credit/debit cards in both card present and card not present situations. But until the card brands get behind those solutions, they will continue to push their old solutions and not address the current problems.

About these ads

6 Responses to “EMV And The Target Breach”


  1. 1 QSAsteve
    December 23, 2013 at 4:05 AM

    The technical solutions mooted here are impressive but any technical solution will take a long time to get agreed, rarufied and implemented. Surely there is a much quicker way. As Andrew notes, the physical CVV2 code on the back of the card is not compromised in an attack such as Target’s. So in the case of an EMV card the exposed card cannot be used in face to face (no PIN) and cannot be used on-line (no CVV2). You point out that ‘There are plenty of Web sites and call center merchants where CNP transactions do not require CVV2/CVC2′ but that is easily remedied. PCI SSC already mandate much about web site design and testing; why not just add a requirement that the CVV2 is needed for CNP transactions.

    • December 23, 2013 at 9:27 AM

      Making changes to all of those Web sites to accept CVV2/CVC2/CID will take time as well and may even create problems for the merchants’ transaction processors. So that might not be as quick as you think either.

      The beauty of my approach is that the card brands already have the single use algorithms built, it would just be agreeing to which one to use. I would think that could be accomplished in three to six months. However, you are correct that it would take a couple of years to get it rolled out. After all, it took EMV eight years before it was rolled out.

  2. 3 Andrew Jamieson
    December 22, 2013 at 5:46 PM

    To clarify one item of my comment – the ‘security code’ on the rear of the card (CVV2/CVC2) would of course also not be exposed by any EMV transactions, so the value of any PAN values exposed would be minimal even for CNP transactions.

    • December 22, 2013 at 7:47 PM

      Agreed regarding CVV2/CVC2.

      However, in regards to CNP transactions. There are plenty of Web sites and call center merchants where CNP transactions do not require CVV2/CVC2. So relying on that as a way to minimizing fraud and losses is not a good control.

  3. December 21, 2013 at 10:24 AM

    The real opportunity empowered by EMV here is threefold. Firstly to prevent the physical world fraud endemic in magnetic stripe use. Secondly to prevent crossover fraud resulting in static data extracted from the physical domain being used in the virtual domain as CNP. Thirdly to expand the use of EMV into the virtual domain and effectively eliminate CNP.

    The UK, with a long history of payments innovation, took a leadership position in implementing EMV in the physical world and is again the first to expand EMV Chip & PIN to online use. A 10 month trial was recently held and this is now being expanded with further major financial industry players 2014. This expansion includes EMV use for eCommerce, eBanking and MPoS.

    Fraudsters need to make a living and with the rest of the world running to implement EMV the USA becomes the weakest link – simplified but real. As the UK and other countries expand EMV onlne then the only major market to use CNP again becomes the USA. As a business and as a consumer I know where I would rather be…

    Google “Secure Electrans” or “HomePay” and you can find all about it. The implementation recently obtained International Common Criteria Certification – the first ever globally in category.

    • December 21, 2013 at 11:27 AM

      That is all good and well, but at the end of the day, the card is the problem, EMV or otherwise.

      The way to address the problem is single use codes of 15 to 16 characters in length so that the code is compatible with existing POS solutions. This approach was tried in the early 2000s by American Express, Visa and some banks for eCommerce purchases, but never caught on because no one pushed it. With the pervasiveness of smartphones and other devices, these codes can be generated and then even displayed as bar codes to avoid data entry issues. And since they can be used only once, who cares if they’re stored and they’re stored in clear text?

      Until we address the root cause of the problem, we will continue to have the problem.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Announcements

FishNet Security is looking for experienced QSAs for their PCI practice. If you are an experienced QSA and are looking for a change, go to the Web site (http://www.fishnetsecurity.com/company/careers), search for 'PCI' and apply.

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

December 2013
M T W T F S S
« Nov   Jan »
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 974 other followers


Follow

Get every new post delivered to your Inbox.

Join 974 other followers

%d bloggers like this: