In my last post I discussed the statistics surrounding the adoption of Chip and PIN. In this post I want to go back and discuss the issues from my old post regarding security risks regarding Chip and PIN.
In my original post I discussed a number of shortcomings regarding EMV. A lot of those issues were taken from old sources as well as some that were questionable. I apologize for the misleading information in some cases. However, the reason I included a number of these old issues was that they still can be an issue to the EMV card as not every financial institution has necessarily converted their entire card base to newer EMV standards. I know this to be true because one of my clients manufactures EMV cards and they continue to produce cards to older standards.
EMV, like any other security method, is not perfect. So what are the viable issues? Here is my take on the security issues for EMV.
Man-In-The-Middle Attack
At the IEEE conference in February 2010 a number of researchers from the University of Cambridge presented a paper on a man-in-the-middle attack where they used somewhat expensive equipment to build hardware and software that essentially intercepted the communications between the EMV card and the terminal to fool both into believing that a transaction has been properly completed. After this paper was presented there was a flurry of newspaper articles about the problem hyping it as the reason why EMV is a “false prophet.” A few days later, a number of articles came out dismissing the research as bunk because of the expense and complexity of the equipment.
However, the flaw that these researchers found is more exploitable than most people think. Terminals are more sophisticated that most people give them credit. Today’s terminals are not the “dumb” devices of yesteryear. Today’s terminals are like netbooks in disguise and run embedded Linux or Windows. Vendors provide software development kits with these new generation terminals for the development of sophisticated solutions for processing credit cards, giving loyalty rewards and other merchant friendly purposes. And after four years, it appears that the PCI SSC has recognized the threat from these new terminals and is modifying the PA-DSS to include them in the certification process.
I have personally been involved with a client that had their terminals tampered with by a gang to store cardholder data on USB drives embedded in the terminals. These terminals were swapped for legitimate terminals by gang members posing as the night cleaning or the stock crew. Then there is the Hannaford breach. While we know that it was malware installed on the POS servers at each store, there has never been an official explanation given as to how the malware got on those servers. Most people just assumed that the hackers somehow compromised Hannaford’s network and placed it on all of their servers. But the rumor I heard was that the Hannaford breach was the result of tampering with their master ghost image for their POS server. Hannaford had updated their POS hardware and software as part of their PCI remediation efforts (how is that for a real piece of irony) and had hired a third party to provide the additional resources necessary to ghost the new servers.
The bottom line is that there is ample evidence that data gathering at the source is a real threat. Given the sophistication of terminals these days and the likelihood that they and POS software can readily be tampered with, the ability for a successful man-in-the-middle attack is higher than most people believe or want to believe. As a result, it is not too farfetched that tampered with terminals or POS software could be created and distributed to unsuspecting merchants by unwitting or unscrupulous vendors and/or resellers.
Card Cloning
In May 2010, Lloyds-TSB admitted that a number of their customers had been the victims of card cloning. Apparently, this is not your run-of-the-mill amateur cloning operation, as these cloners are cloning everything and determining the cards’ PIN.
It is not difficult to skim the magnetic stripe on an EMV card as most of them have a stripe so that they can be used in non-EMV situations. Now a lot of you are probably wondering how the bad guys got the cards’ PINs. It is just a simple use of a rainbow table to break the encrypted PIN block. The problem with the current PIN block encryption specification is that it is published. And though you might think that PIN encryption would be tough to beat, banks usually only change their private keys annually so if you have a card from a target bank, you can figure out the private key by using the information from a known card. As a result, it is not difficult to generate the necessary rainbow table(s) to quickly crack PIN blocks.
Once cloned, the cards are used at ATMs around the world to obtain the victims cash. Why ATMs? Turns out that almost all ATMs, even those in Europe, still rely on a card’s magnetic stripe to conduct withdrawals not the chip. To add insult to injury, it turns out that Lloyds-TSB’s and most other banks’ fraud detection systems ignore ATM withdrawals. And because ATM transactions from foreign ATMs took anywhere from a week to a month to show up on customers’ statements, it usually was quite a while before the customer contacted the bank to dispute the transactions.
So until EMV is the configuration all over the world, the magnetic stripe is the weak link in the chain.
Card Theft
This is still a problem even with EMV. The bad guys have taken a tip from the long distance telephone scammers of the late 1980s playbook. It was that brief time before today’s truly portable cell phones and people relied on long distance calling cards. I can personally remember at Newark Airport, the terminal had scammers shoulder surfing people as they made calls writing down the calling card numbers as they keyed them into the phones.
What today’s EMV scammer does is electronically shoulder surf at ATMs and merchants and then lifts the victims’ wallet or purse. They then quickly conduct as many fraudulent transactions as possible before the victim can notify their bank of the stolen card.
Granted, this is not a great way to make a living, but properly done, one can make a living. With the new PCI PTS standard, even electronic shoulder surfing the PIN should be more difficult, but not necessarily impossible. And with the prevalence of video monitoring everywhere these days, the chance of obtaining footage containing recordings of people entering their PINs is even greater. So your new targets of hackers may be the DVRs that contain that footage.
Reverse Engineering Attack
This attack is a prime example of why some things should never be published on the Internet for everyone to see.
This is an attack that is developed by a person using their own credit cards as testing devices. Even in today’s economy, banks issue credit cards to almost anyone that applies as long as their credit score is good. Therefore it is not impossible to believe that someone would use their existing credit cards to reverse engineer keys.
First and foremost, all of the documentation is available on-line for anyone to see so the attacker has a readily available instruction manual for reverse engineering the standards. All of the hardware and software development kits are readily available and in some cases can be obtained for little or no cost from vendors or through eBay. If you think this is farfetched, remember that at this year’s Black Hat a guy explained how he learned to hack ATMs by buying them through eBay and other sources. As I discussed earlier, what makes these attacks possible is that the private keys the banks use in their encryption do not change very often. At most they change once per year, possibly even less than that. As a result, anyone that desires can use off-the-shelf software to monitor the network and capture the traffic when the card authenticates. From that traffic, the private key can be determined and then any card from a particular bank can then be easily cloned.
I am sure there are other attack vectors waiting to be discovered by some ingenious attacker. I only wish I had the free time to look into this topic further, but that is for the attackers who have such free time. But this is not to say that EMV would not bring something to the security table. However, the bottom line is that there are risks with EMV and it is not the panacea that its proponents like to portray. It has known and unknown flaws just like any other piece of technology. So, let us all admit that fact and move forward.
UPDATE: Here are some more links to other information regarding issues with Chip and PIN and explanations of the above threats.
http://blog.itsecurityexpert.co.uk/2010/02/chip-pin-weakness-smoke-screen-for-real.html
PCI Guru 
I’d like to thank David for his extensive response to this and previous blog posts, it saves me the trouble of a even longer rant of having to pointing out all the flaws in Mr Pci Guru’s arguments, and that Mr Pci Guru does not have much knowledge about EMV and should refrain from commenting on it until he does.
I suggest Mr Pci Guru reads my 39 page white paper “6 Myths Preventing U.S. EMV Migration” (download at http://www.bellid.com/index.php/content/view/384/1). It seems that Mr Pci Guru has exactly the opposite view of what my study concludes – I can barely wait to receive Mr Pci Guru’s response.
To anyone reading Mr Pci Guru’s anti-EMV propaganda, please ignore it, it’s not worthy of your time. In fact, there are many other blog posts that make much stronger arguments than that of Mr Pci Guru.
Let me assure you that I’m not against PCI-DSS, but that I’m advocate for the elimination of cheques, magnetic stripe cards and card not present transactions (internet transactions can be card present transactions). I believe PCI-DSS should be treated as a best practice in general security, in fact, our next mayor release of our card management system will be PCI PA-DSS compliant – this is our own choice, no-one has forced us to comply (thus far). That being said, I believe that EMV issuers should not be forced to comply to PCI-DSS, since they have put measures in place to secure the cards, and if there is any fraud on their EMV cards on EMV terminals, they will be liable for the fraud anyway (assuming liability shift applies). If their cards are used via less secure interfaces, then the acquirer/merchant choosing to accept those less secure interfaces should carry the cost of the fraud.
Magstripe being cloned is not EMV being vulnerable. EMV is about a chip on the card, and a chip reader in a terminal. Magstripe is only there for the phase in of EMV, so that cards still work at older terminals. The answer to this problem is simple, complete EMV migration.
While I’m ranting; In one of your previous posts, you claim the UK invented EMV… While the UK may be flattered with your compliment, may I remind you that EMV is an acronym for Europay, MasterCard, Visa. Europay was acquired by MasterCard shortly after EMV was launched. Recently Amex and JCB joined EMVco, and MasterCard and Visa become public companies, but since the inception of EMV, EMV was promoted primarily by the two of the largest payment companies in the World, namely Visa and MasterCard, both U.S. companies, who also deserves the credit for “inventing” EMV.
People being forced by thugs with violence or threat to reveal their PINs cannot be classified as card fraud! That is more your traditional physical crimes such theft, pick pocketing, trespassing, abduction, assault, murder, ect. This type of crime is also not nearly as common as your run-of-the-mill non-violent and often undetectable magnetic stripe card fraud. That being said, how does PCI prevent this type of crime? The only way to remove these types of crimes lies in social development/political reform/law enforcement solutions.
EMV may not be a silver bullet, and cannot solve all of the worlds security problems. EMV should be seen as securing a payment channel as part of an holistic security program, which can also include PCI-DSS. While there may not be any silver bullets, EMV can be seen as an armour piercing round fired from a sniper rifle; and while it may not be enough to kill all fraud, it goes a long way to stopping card fraud.
It amazes me that everyone thinks I’m anti-EMV. I am NOT anti-EMV, I am anti-misinformation about EMV.
The biggest problem I have with EMV is that it is portrayed by Congressional committees and journalists as THE “silver bullet” solution. I think the debate that occurred here points out that there are no “silver bullet” solutions to this problem short of engineering something entirely new and secure.
As opposed to what Congress and journalists have portrayed, EMV does not solve the breach and fraud issues. Breaches and fraud will still occur. Granted the threat and risk landscapes change a bit, but breaches and fraud will still occur whether the world fully implements EMV or not. Think the public will accuse their leaders of selling them a “pig in a poke” when they find this out? You can bet on it.
The next point is that, whether you like it or not, US bankers and merchants don’t see the need for EMV because there is no economic reason or driver for implementing EMV. US bankers and merchants see EMV as a solution looking for a problem. This is not my opinion, that is exactly how bankers and merchants have framed it to me in discussions I have had with them. Without a payback, EMV has nothing to offer business as an incentive to switch. This is how business works and how it has always worked. It is not perfect either, but businesses are required to MAKE money, not spend it senselessly on things with no payback.
The reason I wanted this information out was not to create an argument, but to show that there are issues to be debated and discussed. EMV is not a black and white issue. There are nuances to it as well as the level of security it brings to the table. It can be a tool in addressing parts of the problems we face, but it is not the “be all to end all” that some people frame it as.
BTW I have NEVER, EVER said PCI was perfect either. No security standard is perfect, because security as a whole is not perfect. What PCI provides is a basic, minimal framework so that organizations can understand what is necessary to secure cardholder data. Just complying with the PCI standards is not good enough. It is a start, but an organization must go beyond the standards in order to be as secure as they can. But in the end, even the best security can be defeated by a dedicated adversary.
The only mis-information I have seen about EMV has come from PCI Geezer.
Please see one of my previous responses where I have corrected EVERY piece of EMV comment that this guy has made.
This notion of Silver Bullet? Where’s all that coming from. It seems to me that you are arguing that the fact that EMV doesn’t cure all ills is a strong and valid reason not to implement. EMV was never meant to cure all ills, but it does cure the one it was developed for, and it does it very well. I think there is a certain amount of straw clutching going on if this site is populated by “experts” who collectively agree that because EMV isn’t particularly good at preventing telephone fraud, it must therefore be rubbish at everything else. If you all believe it and then reinforce each other’s beliefs, you will get to a position where the ramblings of the likes of Griffo are considered heretical. “Burn him at the stake, for unlike us, he is a non-believer!”
I, myself, am not attacking PCI on the grounds of some ill-considered snippets of mis-information, I am attacking it on the grounds of the FACT that even though you might secure the data transmission blah blah channels, you appear to have forgotten that the weakest link remains. As the PCI Guru has told us in his most recent post: ‘As security professionals like to say, “Security is only as good as its weakest link.” Where is the weakest link?’ Well, it’s the card, isn’t it? Even though you have spent quantum quids on PCI security, I can still copy a card … doh!
And, onwards …
EMV does solve breach and fraud issues – how many times have I got to say that you can’t do anything with intercepted EMV data. I have even gone as far as publishing MY own personal EMV card data on this blog site – there you go. But you still come back and tell us that the data is vulnerable. THERE ARE NO CARD DATA BREACHES IN EMV LAND. There you go, prove me wrong!!
Why not go and read the 6 Myths paper? Your economic argument is cobblers, and as I have said before, I probably speak for the whole of the EMV world when I say that I am quite happy for the US to continue to choose magstripe, provided they underwrite the magstripe risk in the rest of the world – International Liability Shift. We will, of course, do the same: where fraud occurs that could have been prevented if the parties had adopted magstripe over EMV, we will underwrite the loss. Can’t say fairer than that, can we? That way, your Bankers are happy, and the rest of the world is happy. Bish Bosh, job done.
Mr PCI Guru, you have raised the issues. Thank you. However the issues as raised appear to have been well and truly trashed. But you still carry on. If you understood EMV, you may adopt a different approach. If you can’t be bothered to understand EMV, then I feel that it is only right that your readers are presented with a balanced view. I have corrected a lot of what you have said, and I have said also that you are abusing your position as a PCI Guru by presenting people who listen, with information that is wrong.
The reason I don’t like PCI is that I understand what it is and how it works, and am actually doing it! I also understand EMV because I am also doing that. I also understand the cryptographic arguments because I do them as well. My balanced view taken from all of this is that in a land of EMV, PCI is not necessary; that isn’t to say that security isn’t necessary, as some people have accused me of saying.
Is your view balanced?
I don’t think so, as your knowledge of EMV and cryptography have already demonstrated.
Hey PCI Guru,
Here’s a brief description of how cryptography actually works…
Possession of plaintext and ciphertext do NOT allow the secret key to be determined. Every cryptographic algorithm is specifically designed to prevent this. Notable exceptions are algorithms like One Time Pad, which use a unique key for every transaction.
You could try a dictionary attack by encrypting the plaintext with every possible key, but EMV uses Triple-DES with a 112-bit key. This works out to over 10^33 possible keys, so good luck with that.
Also, you can’t use rainbow tables to break encrypted data – it only works with hashed data. You DO know the difference between hashing and encryption, right?
Encryption is just algebra. Fancy algebra at times, but just algebra. Just look at the code used for AES, it’s an equation. If I have all but one of the parts used in the equation, I can rework the equation to solve for the missing part, in this case, the private key. There is an implied assumption that the average person does not have the ability to get their hands on all of the parts, which it true. However, an enterprising individual with the right knowledge and equipment can come up with the missing parts necessary to reverse engineer the missing piece.
You are correct about rainbow tables, but I did not mean that they can be used in all instances. In a number of environments such as ATMs and large retail, the terminal that takes in the card is pushed a key that is used to protect its transactions. It is in those instances that a rainbow table can be used. However, it is more likely that an attacker would just compromise the device with a skimmer or their own code.
I’m being deliberately vague as I do not want this discussion to become a “how to” for someone.
Hey PCI Geezer
I’m sorry, but to me it looks like you are being vague because you don’t actually understand the maths behind all of this. There is a big difference between being vague but logically correct, and being vague and downright wrong!
The issue is doubly compounded by the fact that you are a geezer presenting yourself as a guru, so it is not unreasonable for us dimwits to accept all you say on face value: you feed us rubbish and we’ll happily munch away on it!
We are not worthy Oh PCI Guru. We believe everything that you say.
I’ve just seen the light …
When you say your being vague …
“I’m being deliberately vague as I do not want this discussion to become a “how to” for someone.”
The “how to” you’re referring to is a how to for the crims. You’re saying that you might give the game away and provide a clever crim with the knowledge required to enable them to crack high-end public key cryptography. Good job you’re confusing them with cobblers then isn’t it?
What a geezer …
Excuse me for having degrees in Math and Computer Science for which I’m sure do not qualify me to expound on such things. I also wrote some of the operating system software you “kids” take for granted today for little companies like IBM, Microsoft, Unisys, Digital Research and the like, so I’m doubly sure that I’m not qualified.
Encryption methods, while discussed openly, rely a lot on the fact that only certain pieces are not known to the involved parties. At a minimum two pieces, but sometimes more. However, if one of the parties can conduct an experiment with all of their known pieces, documentation on how the algorithm works, documentation on the protocols used and some appropriate monitoring gear to observe responses back, one can reverse engineer the unknown. Encryption is just an overly complex math problem, but given the right information, it is a math problem that can be solved. It’s not an exact science in that you always get the right answer the first time, but you can eventually get to the answer. Quantum encryption changes things to a certain extent, but it too can be compromised as we are seeing.
Criminals already know this basic information as well as the details. What they do not have is the capability to execute it. This is similar to computer scientists in the Soviet Union during the cold war. A lot of the best computing and encryption algorithm research was documented in the Soviet Union before the Iron Curtain fell, but they did not have the equipment to prove that it was the best. I know this because I used that research in work I did for companies around the world.
People need to be responsible for the knowledge they have. Yes there is some knowledge that can always be shared, but there is also knowledge that should only be shared once the person that desires that knowledge has proven that they are worthy of having the information and can assure the people with the knowledge that they will also be responsible for that information. This is called TRUST. And since this is a public forum and I cannot trust anyone reading this forum, I must therefore be careful of how and what I say.
I hope this clarifies things.
I’m sorry, but your understanding of encryption is completely wrong. If cryptography was as simple as “Plaintext + Key = Ciphertext”, therefore “Key = Ciphertext – Plaintext” (where + and – are algebraic functions), then encryption would be useless.
Here’s a concrete example using TDES…
A Pinblock (241234FFFFFFFFFF) is encrypted with a secret key to produce the ciphertext (CDFA8CF71E05B676). The only way to determine the secret key is to encrypt the Pinblock with every possible key (i.e. 00000000000000000000000000000000 to FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF) until the ciphertext is produced, which would take up to 2^112 attempts. There’s no knowledge or equipment that can determine the key using any other method. If anyone is able to crack this key, I’m happy to post its value for verification.
Encryption isn’t just designed to protect data from the average user. On the contrary, it’s designed to protect data from cryptanalysts with unlimited resources.
It is not that simple or trivial, but let me say that it can be done.
Why don’t you just admit that you don’t really understand cryptography?
There are no alternatives to the dictionary attack in my example, so it would take longer than the age of the universe to crack this key (so technically, I guess it CAN be done).
Now, as one of the “KIDs” that PCI Grandad is referring to, I must now bow down to his superior knowledge, wisdom and understanding. Sadly, I do not have a degree in Maths (but I am doing one at the moment to catch up!!). I also accept that after twenty five years in the payments industry, working with issuers, acquirers, processors, card schemes, mobile operators, new payment systems, ATMs, POS, Contactless, yada, yada, yada, and having spent the last 10 years lifting the lid on EMV and breaking it and putting it back together, I agree that I am probably not qualified to comment on any matters relating to electronic payments.
Maybe when my hair has turned grey, and my eyes have dimmed, and I can’t remember what I was going to say …
Maybe when I have finally grown up, which hopefully might be soon as I am peering sideways at my first half-century, I might be experienced enough to be taken seriously. Until then I shall remain in awe of the knowledge and wisdom of the PCI Grandad.
So, all of you kids who know nothing of life, the universe and public key cryptology, listen to what the old man says. You think it’s safe, but he knows a thing or two; he’s been around and has even worked for IBM. Given enough soup and a box of matches, he will crush your new-fangled cryptographic processes, as if they were single DES. Just be thankful he hasn’t passed the knowledge on to the crims. So much responsibility; we are not worthy!
There was a certain amount of irony in this post, which I am told that the Americans don’t get, so apologies for that. There was sarcasm too, but hey.
David, thank you for the in-depth reply.
So …
the chip and PIN debate parts 1 and 2 weren’t worthy of response. Thankfully the chip and PIN debate part 3 is – here we go.
EMV security debates originated by people who don’t understand EMV security are always good for a laugh. Hopefully, though, there are people out there who can sift the truth from the twaddle.
There is actually a serious side to this: I don’t want to have to take payment system advice from people who don’t know about payment systems, simply because they call themselves a QSA.
Firstly, thanks to the PCI Guru for coming clean about the old and / or misleading sources. However, the conclusions the PCI Guru has drawn from these sources have been presented as hard and fast truths about the poor state of EMV, and this is unacceptable because there are people who seem to actually believe all that the PCI Guru says. The statements were made intentionally to undermine EMV, and promote the effectiveness of PCI, which demonstrates a certain level of irresponsibility.
The standards that PCI Guru refers to initially relate to the complexity of the chip and its cryptographic capabilities. It is true that many issuers are still issuing the weaker versions, but it is also true that these are being replaced, and it is also true that the weaker versions have not yet been compromised. None of the compromises, as identified by PCI Guru, were due to the chip technology – they were due to issuers (including me) not seeing the full impact of their configurations, we now know better and the problem is nearly gone. No need for new issuers to make the same mistake again.
One may argue that EMV is not a sound security model, but one would have difficulty in denouncing the maths behind asymmetric cryptography. PKI is safe, and this is what EMV is built upon. The weaknesses we added ourselves, by accident.
Man-in-the-middle attack:
The Cambridge University attack works. However, the crim needs the REAL card, which limits the usability of the flaw; the issuing systems CAN detect it, which is not evident from the academic papers; CDA makes it go away.
PCI Guru then goes on to discuss attacks on terminals, which aren’t really what i would call MITM attacks, but hey. Having said that, the terminal tampering (and there was a case of a petrol company in the UK being attacked by crimms swapping out terminals) only seeks to gather the magstripe data stored on the chip, and the PIN of course. The card details can then be used to clone magstripe cards that can be used in the US. This attack doesn’t work where iCVV is implemented, so it isn’t really an EMV flaw. More to the point, the crims could collect all the chip data they like, they can’t do anything with it!! Malware blah blah blah isn’t therefore of any importance – unless of course you are transacting using magstripe technology, er, in the US!
Data gathering at source is absolutely the real threat. I am in complete agreement. That is why I would support EMV. There is no point in data gathering in an EMV environment because there is nothing that a crim can do with it, unless the attack is on a Yankee Doodle system dealing in magstripe data. Magstripe data = value. EMV data = no value.
Card Cloning:
Now forgive me my response, but I am not clear as to what the PCI Guru is grinding on about here, and I can’t find any reference to card cloning on Goggle, but I will have a go anyway.
It looks like he is referring to cards being cloned by copying the physical magstripe – always a risk, but it won’t work particularly well in the UK as the issuers will see fallback transactions interspersed with chip transactions on the same card, they will smell a rat and cancel the card. Now for the whacky bit – I really don’t understand this rainbow trout PIN fishing stuff. If I have a cloned magstripe card, where am I going to get an encrypted PIN block from? Certainly not from the card as it doesn’t exist on the card. This would make determining the bank’s key (and it wouldn’t be a private key in the PKI sense, it would be a DES key) pretty difficult in my opinion – I don’t have the PIN and I don’t have a PIN block. If I did have a PIN block, the only place I could have got it from would have been an ATM, from the authorisation request message, but this would be encrypted using the ATM local DES key, not the issuer’s “private” key. One of us is talking cobblers …
If PCI Guru is referring to the PIN block on the chip … there isn’t one. That isn’t how the PIN is stored.
ATMs in the UK will not process chip cards in fallback mode. This means that a magstripe clone will not work in a UK ATM – I think this is fairly standard around the EMV world too, but I would need to check specifically.
I am not saying the Lloyds-TSB fraud didn’t happen, it just didn’t happen like this.
Point of order next: All ATM transactions are authorised in real time, and can be applied to the account in real time. The cash has, after all, been dispensed.
Card Theft:
Card theft is still a problem with EMV. People are looking at PINs and then nicking the cards – now that’s what I call a sophisticated fraud – thanks for bringing that one to our attention. Let’s not implement EMV ‘cos the cards could still be nicked …
And … how on Earth do I electronically shoulder surf?
So the criminal strategy is: get the PIN, nick the card, do some transactions, quickly.
Or, it seems, obtain the DVR footage of the PIN entry, obtain the punter’s address and then go to their house (they will have long ago left the ATM or POS device), break in and nick the card – the crim now has the card and the PIN, and is fully equipped to take money from an ATM, and buy a telly. Simples!!!
Reverse Engineering Attack:
So … we are reverse engineering keys are we? Brilliant! Actually I thought this paragraph might be good, but it isn’t! I thought I would be able to respond to a series of clear and thought out attack strategies, but no! The PCI Guru is presenting a series of statements that could look convincing if you start from the premise that the guy knows what he is talking about, and you don’t understand cryptography and financial cryptographic processes. Yet again, when PCI Guru talks about the banks’ private keys, it is again not clear what he means: does he mean the private key component of a public/private key pair or does he mean the privacy surrounding the DES keys? Any mathematician will tell you that you cannot derive the private key of a public/private key pair from the cryptograms generated by the public key. Why are we even discussing this?
End bit:
The PCI Geezer concludes by assuming that the crims will crack it. The only way this could begin to be possible is if the mathematicians come up with a means of effectively factorising the big numbers used in card cryptography. A possibility, but we aren’t there yet, and there is already work going on to develop alternative cryptographic technologies should this ever happen. However, one needs to consider that the mathematical breakthroughs required to achieve this would also render useless the whole of the crypto-world as we know it, so it isn’t particularly an EMV card-based weakness.
I agree with the PCI Geezer that there are risks with EMV, but it is my opinion that they are almost all to do with how it is implemented, by people like me for example, and not because it is inherently duff, which appears to be his opinion.
Perhaps if the PCI Geezer did spend more time looking into this topic further, he may find himself in a position to be able to give some properly considered judgements, rather than feeding his loyal readers with “questionable” and “misleading” information, which, I have to say, they do appear to believe!
I may now go back and look at parts 1 and 2 again. It’s only fair.
Mr. Griffiths:
I am truly sorry you skipped the first two posts. These are probably the most important because they explain why your precious EMV is not being rolled out across the world. Business men are charged with making money and as long as EMV costs more to implement than it saves, it will have a tough go.
The Cambridge attack had nothing to do with encryption or cryptography. This is what a lot of people miss in their analysis of threats. If you had bothered to read the report and not relied on the news reports, the Cambridge attack had everything to do with the transaction protocol between the EMV card and the processor. It faked out both sides to believe that a transaction had been correctly conducted including a PIN entry which can occur with any PIN. That is the insidiousness of this attack is that it does not need to rely on decrypting anything.
Now you would probably ask, “So what?” The “so what” is; suppose that criminals have created tampered with terminals and they have been able to put those terminals into service at a popular petrol station chain. The terminals are programmed to implement the Cambridge attack based on the PAN presented on the Chip and PIN card. Now whenever PANs are presented that are identified by the terminal, they fake out the POS to believe that the transaction was approved when it was rejected. How long do you think they could get away with free petrol and whatever else before someone catches on? Given my experience, it would probably take quite a while. That my dear friend is fraud, plain and simple and your precious EMV is worthless to stop it.
The problem this exploit points out is that there are ways to circumvent having to deal with cryptography and still commit fraud.
I would also like to discuss is reverse engineering of cryptographic keys. Cryptography is just a division of mathematics. If I know the cryptographic equation and I have all of the pieces except one, it is child’s play to solve for the missing piece, regardless of the size of the number. This is exactly how encryption keys get compromised is by people that have all of the pieces except the one. Therefore, what the criminals do is use their own cards to supply all of the necessary information except the private key at the other end. Simple mathematics allows them to solve for the missing key. People have the mistaken belief that criminals are stupid, but, in fact, most are highly intelligent. It is just their intelligence is put to the wrong uses.
Fraud is a lot like a balloon. When you push in on one side, it expands on the opposite. In fraud, when you remove or limit a particular avenue of fraud, you usually point people to explore other avenues. In the case of EMV, when the cards limited the face-to-face avenue, the criminals moved in droves to on-line fraud, foreign ATMs and the like. In the end, while EMV will ultimately reduce fraud, it will never entirely eliminate it. There will always be some enterprising person that figures out how to beat the system.
Finally, age has its benefits. I have been through centralized computing, distributed computing, client/server computing, virtualization and finally cloud computing. Guess what? What goes around comes around. The only thing that changed was the programming languages and the communications protocols. Everything about virtualization and cloud computing that everyone is so enamored with these days, I was doing back in the 1970s on mainframes. The mistake all generations make is that they think all the other generations are clueless when it comes to that generation’s technology. While this used to be true in the past, I am finding that the current generation does not have the depth of experience with technology that they think. Current and future generations have a good understanding of how to use their technology but totally miss the true mechanics of how their technology works. IN my opinion, this is because we have so totally abstracted the details of the operating system and other detailed interfaces, that most persons, even those in the technology business, are clueless as to how their programs and devices actually work. All you have to do is to interview them and it becomes very apparent that they are clueless as to how what they wrote actually works. You start to get the impression that all of those sci-fi stories were the people do not know how to maintain their technology is actually coming true.
PCI Guru
Mr PCI Guru
I was just on my way to bed when I saw this, so forgive me – I may be a little tired, but here goes … again.
I shall be returning to the first two posts but since one of your PCI drivers is the weaknesses and crackability of EMV, I am compelled to follow that route. I have no particular love of EMV, in some ways it could be argued that it is too complex for its own good. I can see the validity of this point of view, but having been involved in the implementation of real EMV systems for the last 8 years, I can’t see where the simplifications could really come from.
So, onwards to Cambridge – you seem to assume that I don’t look at the detail, only the reports. Well, firstly, I only live 30 miles from Cambridge and the guys there are not that many degrees of separation away from me. I have faced a number of challenges from them over the last 25 years in banking systems, going back even to ghost ATM transactions, but those are stories for another time. When the Prof’s “Chip and PIN is Broken” work was reported on, we saw it in the news the same as everyone else. On the day the news broke were asked to assess it by one of the world’s biggest banks. As it happens, it’s the first thing that the Cambridge guys have done that actually works, but it’s a fraud attack that’s also easy to prevent. You are absolutely right that the issue was within the protocol, but it does still require the REAL card (won’t work with a clone card), and if you know your EMV you will be able to pick the hole in my argument here, because there could still be a bit of a weakness.
Now, your scenario of the crims implementing the Cambridge attack on compromised terminals: the fraud can only work if the crims can authorise the transaction offline, and the card will force itself online after a small number of offline transactions or when it hits an internal limit, and most petrol is authorised online anyway, so the opportunity isn’t really there – the answer to your question then is a couple of tanks.
However …
The fraud isn’t about faking the response to make the terminal believe that the transaction was approved when it was actually declined, it’s about fooling the card into thinking the PIN pad isn’t working; the transaction itself is still legitimate. The fact that you have said “fake out the POS [blah blah]” indicates to me that you are not really understanding the mechanics of this potential fraud, ‘cos what you have described ain’t what happens.
Now, do you really want to get into a cryptographic discussion? Here we have a real case in point: PCI Guru says, with real conviction, that if you have all the pieces except one, then it’s child’s play to discover the missing piece – everyone agrees, the PCI Guru really does know what he is talking about! Hey, I agree too. Then the PCI Guru takes this agreed point and suddenly extends it beyond all recognition to cover the whole of cryptography: the trivial point about given all the data but one piece would allow the one piece of information to be calculated, all of a sudden means that breaking the cryptography within EMV is just a matter of being in possession of the right data. But the PCI Guru knows what he’s talking about, so this must be true too? Hey, at this point, I don’t think I agree any more.
If PCI Guru knew anything about EMV, he would know that the crim can’t obtain the necessary data from one, or indeed all, cards. It just isn’t there. If PCI Guru knew anything about asymmetric cryptography, he would know that even if he had all the data available, he still wouldn’t be able to derive the private key. It just can’t be done. If the PCI Guru knew anything about card issuing, he would know that there are three private keys in EMV, one on the card, one belonging to the card issuer and one belonging to the card scheme, and each is encrypted by the next one in the hierarchy (there are other keys too – 3 different symmetric keys, but they aren’t accessible from the outside world). PCI Geezer thinks that cracking three levels of Public Key Cryptography is as easy as cracking single DES. What a geezer.
I think in one of my earlier responses I agreed that crims weren’t dim. That was the reason I gave for them not going dumpster diving for PANs in the Far East, and why PAN hacking is only rife in the US – the crims know which data to go for. In the UK, they are going after internet banking credentials, for example.
We pushed the fraud balloon, and the fraud emerged elsewhere. It was expected. It was expected that CNP fraud would increase, but CNP fraud has different vectors and different prevention mechanisms. One of the reasons that the fraud has migrated is because of the strength of EMV. We now need to work on CNP – PCI is not the way to do this.
Age? Age does indeed have its benefits: wisdom; experience; gut feeling even.
EMV has some weaknesses, but they have either been addressed already or they will disappear as the DDA and CDA chips are rolled out (this is not a new idea, it was always the plan). The EMV specifications are fiddled with occasionally, but generally to add additional business features, not to address fraud holes. Bottom line is that it works, it might cost more than you would like, but it’s a one-off cost and it’s not vulnerable to crypto-attacks. The advantage of EMV is that the transaction data is worthless outside of the transaction itself, and as such, merchants do not need to be held responsible for its safe keeping.
PCI, on the other hand, is constantly being re-specified as non-payment “experts” attempt to apply what would be sound security principles elsewhere into an environment that doesn’t actually need it. Implementing PCI is also expensive, and for the merchants it’s an ongoing expense that must be addressed year on year, and it’s the merchants who pay and it’s the merchants who are held responsible for data breaches, and have to pay.
The straight question to PCI Guru is: what happens when the whole world is PCI compliant, and I build a spoof vending machine that captures magstripe data? How will the PCI-compliant systems be able to spot a magstripe clone? This is already happening.
For the record …
Track 2 data consists of a PAN, an expiry day, and a bit more, anybody can clone it, and no one can spot the clone!!! Just so we all know what we are comparing, I have dumped the readable data from a simple SDA card (it is mine, and there is no risk). There is also other data on the card that cannot be read from it, so that makes things a little more difficult, and DDA card data is longer, and there is more hidden data. I may have missed a bit because I am tired, but otherwise, it’s all there. By the way, if you are so inclined, you can’t write this stuff to a card and make it work! I have to say that I wouldn’t do this with mag stripe data.
31 50 41 59 2E 53 59 53 2E 44 44 46 30 31 70 20 61 1E 4F 07 A0 00 00 00 04 10 10 50 10 4D 41 53 54 45 52 43 41 52 44 20 20 20 20 20 20 87 01 00 90 00 6F 20 84 07 A0 00 00 00 04 10 10 A5 15 87 01 00 50 10 4D 41 53 54 45 52 43 41 52 44 20 20 20 20 20 20 90 00 0E 5C 00 08 01 02 00 08 03 05 01 30 01 01 00 90 00 70 42 5F 20 1A 47 52 49 46 46 49 54 48 53 2F 44 41 56 49 44 2E 4D 52 20 20 20 20 20 20 20 20 9F 1F 0D 31 30 30 30 30 33 37 31 37 39 32 32 30 57 13 55 78 44 10 05 47 44 71 D0 90 62 01 10 00 03 71 79 22 0F 90 00 70 58 8F 01 04 9F 32 01 03 92 24 7E 75 D7 40 5C A6 73 C4 85 7E CC 80 9F F9 6C 5A CF 0B E6 FC 4F 98 E2 76 1F A0 64 59 4E FB CE C6 C7 2B 25 E5 9F 42 02 08 26 5F 30 02 02 01 5F 28 02 08 26 9F 08 02 00 02 8E 10 00 00 00 00 00 00 00 00 41 03 5E 03 42 03 1F 00 9F 07 02 FF 00 90 00 70 32 5F 25 03 06 06 01 5F 24 03 09 06 30 5A 08 55 78 43 10 05 47 44 71 5F 34 01 01 9F 0D 05 F0 60 BC 88 00 9F 0E 05 00 00 00 00 00 9F 0F 05 F0 68 BC D8 40 90 00 70 81 93 90 81 90 69 18 36 58 2D A5 96 BB 86 AF B4 D9 6A 4A D6 0A A3 17 AF 83 9A 74 09 68 B0 A6 E5 32 34 FB 6B A4 6D 8D 64 7A 5A 3D 98 E5 8F AA 9A 04 4B D2 43 2D 0A 82 B9 8D 31 B5 31 08 E9 51 8D 87 9F 65 9A EA 88 72 51 A1 22 1C 81 E2 AF A5 DE DC 5F 70 F0 DA 06 03 2F E4 62 A1 3A 38 75 AE 88 DD F2 D9 C1 FC D2 50 D2 2D B4 07 94 49 A7 B7 24 3F 80 EE 1B 99 A9 60 9E B8 FB A2 80 22 1C CC C9 91 FD 50 F8 4E 57 99 D2 E4 3F 51 4F DB AC 67 10 44 0A 23 FE 05 90 00 70 81 93 93 81 90 82 48 4F 5A 83 7E 0F 1B 06 D3 E8 68 11 77 04 F7 B2 21 9E 61 86 25 82 E2 B6 1A 52 89 9F 5D 7A 3D 3D 14 32 C5 DD 8C E8 70 33 4A E4 2A 47 06 99 1D 95 69 B0 5E 7F 41 E4 9F 5D B5 6D D4 66 2B 8E 32 A2 A8 61 6C DD E1 D0 9C 7F E6 46 A7 6E C4 15 92 EF C0 3C 1E 06 01 E8 9C 2E AC B9 03 CC 2B 13 20 ED 9F DD CF 23 34 3E 5B 2B F6 57 F5 E4 C5 AC 01 AA 18 E1 63 41 D7 B4 DF 8A E6 CC A5 42 C6 E8 44 AC 57 B7 41 EE 21 00 CF BC BB 1C C4 F3 68 88 18 90 00 70 30 8C 15 9F 02 06 9F 03 06 9F 1A 02 95 05 5F 2A 02 9A 03 9C 01 9F 37 04 8D 17 8A 02 9F 02 06 9F 03 06 9F 1A 02 95 05 5F 2A 02 9A 03 9C 01 9F 37 04 90 00
I am not an EMV evangelist, but I feel protective when it is attacked by people who don’t get it very much, but who are regarded as experts by those people who get it even less.
All I am asking is for the PCI Guru, or someone else, to come along and says “David, you’re talking ARSE” and for them to present to me a valid reason as to why that is the case. No one has yet done this.
Right, I’m off to bed …
This was a very interesting post! All of the parts so far have been very informative – thanks for going into such detail!
I found this post in a CSNews article today – looks like this topic will also be being addressed by the PCI council in some of their additional documentation when the new standard comes out:
“Looking toward the future and the hot topic of Chip and PIN or EMV, Russo said it’s not something the council can determine or dictate, but if it does happen, all of the brands’ compliance programs would change.
‘A lot of the world is already using it,’ Russo noted, explaining Chip and PIN requires not only a signature but also a PIN number when purchasing with a credit card. ‘We put together some guidance, and this will also be released for our community meetings.’
The guidance touches on Chip and PIN, tokenization and point-to-point encryptions, he said. ‘We will be giving guidance on those technologies and what, if anything, is already satisfied within the standards.’ “