Posts Tagged ‘Chip and PIN

18
Jan
14

Why The Paradigm Must Change

The Target, Neiman Marcus and the potential other breaches of retailers to come should be a learning moment for all of us to demand that the card brands change their business paradigm to one that is more secure.

Bolt-Ons Do Not Cut It

For all intents and purposes, how a credit card works has not changed since the late 1950s when they were introduced.  Yes, there have been advancements such as EMV, 3D Secure and end-to end encryption (E2EE), but those are all things that just bolt onto the original concept.  The trouble is that, given today’s technologies and their capabilities, the card and the bolt-ons are just no longer providing the security they once did.

With the Target breach there has been a call to get the US to finally convert to EMV.  The trouble is that EMV would have leaked enough information for fraud to be committed as well, so it is not an answer.

Trade association spokespeople trotted out 3D Secure and other methods of securing online transactions.  The trouble is that most merchants eschew 3D Secure and its kind.  In addition, there are known vulnerabilities with these supposedly secure payment methods so they also have potential issues that could be exploited.

Then there is E2EE also known as point-to-point encryption (P2PE) from a PCI perspective.  These also can be exploited.  It may be more difficult, but when you are determined to gain access to sensitive information, that does not matter.

After the release of the PCI DSS in 2008, a lot of retailers implemented a variety of E2EE solutions.  Unfortunately, the endpoint at the retail location was the POS register and not the terminal.  This was not due to merchants’ negligence; this was due to how their POS applications operated.  This allowed for attacks such as that used in the Target breach to succeed.  All the attacker has to do is insert their malware into the POS process so that the malware can “see” the cardholder data before it gets encrypted.

Even in solutions that do E2EE/P2PE to the terminal can be defeated by taking the same approach and inserting the malware into the terminal process before the terminal can encrypt the data.  Worse yet, if the terminal is breached, the attacker can capture PINs if they also have malware that captures the keystrokes on the terminal before the PIN is encrypted.  There are a number of methods to minimize these risks at the terminal, but if the terminal supply chain is compromised as it was over a year ago in the Barnes & Noble breach, there is little a merchant can do to stop such attacks.

The bottom line is that all of these solutions are bolt-ons to the existing card paradigm and all still have risks that a breach could occur.

Using Complexity Against Us

Brian Krebs and others have wondered aloud how a sophisticated organization such as Target that has information security and forensic resources second possibly only to the government could have been compromised.  Particularly after the 2007 compromise by Albert Gonzales when Target totally revamped and increased their security posture to minimize the likelihood of another event.

The first clue to me came when I read the iSIGHT PARTNERS report on the Target breach.  The theme that comes through loud and clear is that the attackers are using the complexity of Target’s technology infrastructure against Target.  I mean how could FTP activity and huge data transfers (internal and external) go so unnoticed?

Actually, that was likely fairly easy.  The attackers used existing network traffic to mask their own network traffic.  They sought out servers that already had large volumes of traffic and put their data collection server on one of those servers that already had a lot of traffic.  Better yet, a server that was already running as an FTP server.  As a result, even with diligent monitoring, the increase in traffic likely did not raise any alarms.

People assume that such breaches are like a “snatch and grab” in the real world.  The attackers break into an organization’s network, quickly take what they can off of the computers they encounter and leave.  That was the modus operandi (MO) in the past, but not today.  Sophisticated and organized attackers such as those that breached Target, do what they can to remain unseen while they learn more about their victim.  They take their time mapping out the network and determining what devices they want to compromise to further their efforts to gain access to the sensitive information they seek.  Because of this, it is highly likely that the Target attackers encountered the Target customer database during their investigation of the Target network and took it first so that they would have at least something for all of their efforts.

The most insidious thing I think the attackers did was that they likely used Target’s software distribution system to disseminate their malware.  Given the number of POS systems compromised (around 51,000); I find it hard to believe that the attackers manually installed their malware on those POS systems.  It would have placed their operation at extreme risk likely resulting in its discovery.  By using Target’s software distribution system, the attackers got an added benefit of legitimacy to their malware because they Target themselves did the installation.  As such, the malware would appear as valid because Target’s software management system initiated the change.

Now What?

All of this brings up an interesting conundrum.  If attackers are stepping up their game and using such techniques, how do we detect them?  It is a very good question with no good answers.  The iSIGHT report offers methods to stop and eradicate this particular attack.  However, the next attack and the attack after that will all likely use different malware and different techniques to get the data out of your network.

We are in is a war of escalation with no end in sight.  Merchants step up their efforts to stop such attacks and the attackers adapt and adopt new techniques to breach organizations and gain access to their sensitive information.  What we need is a solution that stops the escalation and gets us out of this vicious circle.

That is why I am pushing the 15 – 16 character single use transaction code as that solution.  My reasons are as follows.

  •  The algorithms already exist as a number of the card brands experimented with them a decade or more ago.
  • It will work with existing POS technology and applications.
  • It will work with existing eCommerce sites.
  • It can be implemented into eWallet applications.
  • It can be processed, stored and transmitted without encryption.
  • It can be generated by PCs, smartphones, tablets, credit card sized devices and any other devices that have computational capabilities.
  • It can be displayed on devices in a character format for manual entry or as one or 2D bar codes for scanning.
  • It can be transmitted via swipe, EMV, near field communication (NFC), Wi-Fi or even Bluetooth.
  • And best of all, it is secure by the very nature that it can only be used once.

There will be some changes that would be required at the transaction processors and acquiring banks to handle such a solution.  But given that some of the card brands already have experience with this solution, there is a body of knowledge that already exists as to how it needs to be implemented.

Let the discussion begin on how we move ahead with a better, more secure solution.

10
Jan
14

The Economics Of EMV

There are a lot of people out there that have apparently taken big swigs of the EMV Kool Aid and think that merchants and banks in the United States are all idiots for not believing in EMV.  Well folks, here is EMV by the numbers.  Unfortunately, the best set of complete numbers I could get are from 2009, but I know that the fraud percentages have not radically changed since 2009.

As this example will illustrate, EMV in the US is a non-starter, not because we do not like EMV, but because it makes no financial sense. While I am using Target as the example, these numbers are pretty much what most retailers (large or small) are looking at as they evaluate going to EMV.

  • Target had around $65B USD in revenue for 2009 as reported in their Annual Report.
  • For 2009, card fraud amounted to 0.11% according to a report from the US Federal Reserve Bank of Kansas City report on EMV adoption. For comparison, card fraud in the UK (the best in Europe and the best for EMV countries) is 0.08%, a 0.03% improvement over the US.
  • We know that not all of Target’s revenue is in card transactions but I will estimate that 70% of revenue was card transactions (around $45.5B USD). Then Target has around $50M in losses related to card fraud for the year at 0.11%.  Therefore, assuming a 0.03% improvement in fraud due to implementing EMV, Target is saving around $13.5M USD a year.
  • Estimating between $50M to $100M USD to replace the POS (possibly), terminals and software to support true EMV (for comparison, Target is already spending an estimated $25M to $30M just on new terminals), Target gets a payback on that $13.5M USD savings due to EMV in around four to seven years.

I can tell you from experience that, if a merchant cannot get a three year or less payback, they will not even consider the investment. A two year or less payback is actually preferred and the only sure way for any project to get management’s consideration and approval.

But while the financials for EMV do not add up, there are also other factors that are causing retailers to question a conversion to EMV.

One of the largest is the fact that EMV does nothing to stem the fraud losses from card not present (CNP) transactions. Since most retailers are viewing eCommerce as their next new retail opportunity, the exponentially increasing losses due to CNP fraud does not improve the likelihood of converting to EMV. And with that larger focus on eCommerce and maintaining brick and mortar margins, there is also the concern regarding investing significantly in any changes to those brick and mortar operations that also hold back retailers from transitioning to EMV.

Another consideration is that a lot of retailers just upgraded their terminals a few years back to comply with the PCI PTS requirement. Most retailers like to get at least seven to ten years out of their technology investments. Had Visa and MasterCard played their cards right and coordinated their EMV push with the PTS changes, the US likely would have converted to EMV.

Finally, there are concerns about EMV even surviving given the advent of new payment technologies such as eWallets as well as Bitcoin and other new forms of payments. As a result, a lot of retailers are sitting on the sidelines while technology and payment methods sort themselves out before considering making any investments in new payment process capabilities.

That my friends are the cold, hard facts of why EMV is currently dead on arrival in the US.

22
Dec
13

How About We Fix The Problem?

As I pointed out in my last post, EMV would have not stemmed the loss of data in the Target breach.  All EMV would have done is restricted where the thieves could use the card data obtained.  Even though the thieves can supposedly clone cards from the data gathered, as far as anyone has reported at this point, cloned cards do not appear to be the method of fraud.  So the assumption I have is that all, or the vast majority, of the fraud committed to this point has been through card not present transactions.

In response to people clamoring for a solution to the breach problem, Visa and MasterCard have curiously remained silent.  I would have assumed that the card brands would have trotted out their press releases touting EMV as the savior.  Yet they have said nothing.  Could it be that the card brands are actually acknowledging that EMV would have not been the answer?  One can only hope.

So what is the answer?

To me the answer is single use transaction codes of 15 to 16 characters in length.  With the advent of smartphones and miniaturization of electronics, the ability to create a card or an application that generates such a code is not only possible, but has been demonstrated in recent years.  Not only that, but the card brands and banks themselves dabbled with such solutions over 10 years ago but for some reason backed off on pushing such a solution.  My best guess is that without a portable method of using the single use code system, there was no point to pushing such a system.  But times and technology change.

With the capabilities of today’s technology, the single use codes could be displayed as bar codes so that existing merchant POS systems could scan them and avoid data entry errors.  Since they are no more than 16 characters in length, the codes can be stored in applications’ existing fields used to store card numbers without modification.  Since the card brands and banks have already developed the algorithms for this approach, they only have to agree on which algorithms to use.  But best of all, since the code can only be used once, it can be processed, stored and transmitted wherever and however without fear of a compromise because it can only be used once.

This is just my thought for a solution but there are other people and organizations that have their own solutions to fix this problem.  The bottom line is that it is time to fix the problem, not keep kicking the can down the road with a known format that is at the end of its life.

21
Dec
13

EMV And The Target Breach

There are a lot of people now pointing to the Europay MasterCard Visa (EMV) card (aka “Chip and PIN”) as the savior from breaches such as those at Target and I am sure Visa and MasterCard are very pleased with that fact. Well, I hate to burst your bubble, but if the US was only using EMV like Europe and Canada, it probably would have had only a minor impact.

Are you stunned by that statement? After all, that is not how Visa and MasterCard are portraying EMV. If you read their media statements, they imply that EMV is the answer to these breaches.

To make sure I was describing the security features of EMV correctly, I reached out to my friend and EMV expert Andrew Jamieson, Security Laboratories Manager, at Underwriters Laboratories – Transaction Security in Kew, Australia. Underwriters Laboratories tests and certifies a lot of things, one of which is card terminals (magnetic stripe and EMV) to the PCI standards. As such Andrew has a lot of knowledge in the area of EMV and how it works.

I asked whether or not EMV cards are encrypted.

“EMV cards are not encrypted, per se, but instead store a couple of secret keys which are used as part of the authentication of the entire transaction. All card data can be output from the card in the clear – PAN, CVV, etc – except for the customer PIN and the secret keys. The CVV will also be different from that on a magnetic stripe, either static (called an iCVV) or can also be a dynamic value that changes with each transaction (dCVV).”

Well there is a piece of interesting news. While the transaction gets encrypted with the secret keys, an EMV card would still provide some information in a Target-like breach.

Then I asked if there is a risk even with EMV.

“So, any chip based transactions from an exposure such as the Target one would only have exposed the PAN (technically, the PAN on the card can be different from the PAN on the face/track, but in reality this never happens), not the full track. As the CVV would not have been exposed, the PAN would have limited value.”

If the magnetic stripe was not present, the CVV would not be required or recorded in the chip, so only the iCVV or dCVV would be available and those would not be usable as the code printed on the card would not match either of those values. Therefore the information gathered would not allow for the cloning of cards because the information recorded in the chip is not the same as the information that is printed on the physical card. But this should not be a surprise because that was what the EMV standard was designed to do, prevent the cloning of cards.

However in a Target-like breach where the terminal and/or POS system were compromised, the chip would have still given up enough information to be used in card not present transactions such as those conducted via eCommerce. As a result, the attackers would be limited to only defrauding online merchants but that is where most card fraud is being committed.

EMV is not a “silver bullet” such as the card brands like to imply. Yes, it is better than the magnetic stripe, but it does nothing to stem the tide of the growing fraud in online transactions. There are a number of new technologies on the horizon that will minimize the fraud risk of using credit/debit cards in both card present and card not present situations. But until the card brands get behind those solutions, they will continue to push their old solutions and not address the current problems.

01
Sep
11

Visa Is Upset

It seems that I ruffled some feathers at Visa Inc. with my post regarding their program to incentivize adoption of EMV in the United States.  Since I irritated another vendor today, I thought why not make the day complete and irritate another vendor?

As a result of my “A Carrot for Chip and PIN” post, I was contacted by Visa’s public relations firm requesting that I correct my post to properly characterize the program.

“My client, Visa Inc., requests a correction to a factual error on your PCI Guru blog: “A Carrot for Chip and PIN” (https://pciguru.wordpress.com/2011/08/13/a-carrot-for-chip-and-pin/).
While the initiative is certainly aimed at promoting the use of EMV chip, it is not aimed at promoting PIN, per se.  Hopefully, the following post on the Visa corporate website will provide clarification, but please feel free to contact me if you have questions: http://blog.visa.com/2011/08/26/pin-largely-unaffected-in-u-s-migration-to-emv-chip-2/
Many thanks in advance for correcting the story!”

As requested, I went and read the Visa blog entry.  This blog entry is regarding the fact that PIN usage was not being affected or required by the new program.  Apparently a major industry media outlet had implied that Visa was pushing for not using PINs which is not the case.  However, if you read my posting, I do not reference anything regarding PIN usage.  As a result, I asked the PR person to clarify what the problem was with the post.

“I guess I’m a bit confused about your request for a correction
EMV is known as “Chip and PIN” everywhere around the world.  My post does not discuss PIN usage only that Visa is promoting “Chip and PIN” as a card format as well as the RFID contactless card.
I’m always willing to make corrections, but is what Visa is requesting is that I not use the terminology “Chip and PIN” and refer to it only as EMV?”

To which, I received the following reply.

“Yes, it would be correct if you just removed the references to PIN. While signature is the most common form of authentication uses with chip around the world, some regions such as the UK have so popularized the term chip and PIN that it has virtually become one word.
So yes, it can correctly be referred to as a move to “EMV chip” or just “chip” if you prefer.
Many thanks!”

At first blush, this seems to be a very petty argument as to why I need to change my blog post.

But whoa!  Signature is the most common form of authentication with EMV cards around the world?  So, what is the point of having EMV if signature verification is still used?  I have always been told that the whole point of EMV was the coupling of the chip technology with the personal identification number (PIN).  The only reason signature is the most common authentication method is because, outside of Europe, Ireland and the UK, no one has the infrastructure on a large enough scale to process EMV with a PIN.  That is the whole reason Visa is trying to push EMV and contactless is to broaden its use.

Basically, from my interpretation of this response, I was accurate in my original post when I stated that Visa thinks that removing the PCI ROC requirement is enough to drive merchants to implement EMV or contactless terminals.  How could that be when it would take most merchants 10, 20 or even more years of ROC cost to equal the cost of replacing terminals?  Just how does an organization justify such an expense?  Particularly since the other card brands have not agreed to support this program.

But the other thing that disturbs me about this response is that Visa is upset with the use of the term Chip and PIN.  Never mind the fact that Visa uses the term Chip and PIN on their own Web sites around the world as a reference to EMV.  As well as the fact that Chip and PIN is essentially being synonymous with EMV.

So I respond to the PR person.

“I have reviewed my post (https://pciguru.wordpress.com/2011/08/13/a-carrot-for-chip-and-pin/) against the post on Visa USA’s Web site (http://blog.visa.com/2011/08/26/pin-largely-unaffected-in-u-s-migration-to-emv-chip-2/) and I fail to see why any correction is necessary.
The post from the Visa blog references the fact the [media outlet] stated that the PIN was being dropped in the move announced in http://usa.visa.com/download/merchants/bulletin-us-adopt-dynamic-authentication-080911.pdf.  The Visa blog post goes on to further clarify and define the fact that PINs will still be used.
My blog post says nothing about the PIN being used or not used.  My blog post is about business reasons why such a program are not going to be a reason for US banks or US merchants to move to EMV.  As I reread my post, other than the fact that I used the term “Chip and PIN” in the title and then as a “aka” reference for EMV in the first paragraph, the remainder of the entry refers to the card by EMV or the dual chip terminal.  As a result, I fail to see the need to make any changes to the post as the post has no relevance to the Visa USA blog post other than they both reference the aforementioned Visa program to promote EMV in the US.
If Visa USA does not like the use of the term “Chip and PIN” then I suggest that Visa USA take that matter up with the UK and Irish banks that created it more than a decade ago.  The fact that EMV and “Chip and PIN” are now synonymous with each other is also an issue that I am not responsible for nor will making any change to my blog entry effect.
If there is anything else I can assist you with, please let me know.”

The PR person responds.

“EMV is not synonymous with chip and PIN. The EMV standard specifies a number of cardholder verification methods including signature, offline PIN, online PIN, and no verification. Also, while you may possibly be most familiar with chip and PIN implementations in the UK and Ireland, in fact the majority of global implementations of EMV chip have been with signature. Citing chip and PIN in the headline implies that every chip transaction would be verified with a PIN (as they are in the UK and Ireland), which in the U.S. is incorrect, and I know you want to avoid factual errors.
Thanks again for your consideration of this request. Please consider me a helpful resource on future security matters in which Visa Inc. may be a good fit for your story.”

While I understand the PR person’s point, let us face facts.  Google Chip and PIN or EMV and the other term comes up in the results.  If that is not the definition of synonymous, I do not know what is.  Visa’s beef with my post really is the implied connotation by using the term ‘Chip and PIN’ in the title that a PIN would be required.  Whereas, all I was trying to do was to provide an easily Google-able term for people interested in EMV since EMV is usually referred to as Chip and PIN.  Such a complaint is laughable if it were not so sad.

Then to bring up offline PIN entry when it has been repeatedly shown to be the biggest reason why EMV and contactless with PIN can result in card present fraud is amazing and just shows the limited knowledge this individual has regarding their client’s products and services.  But to add insult to injury, they then bring up the wonderful fact that EMV and contactless can also be used with no authentication.  Not that I think anyone would actually do this, but it is an option.

However, the issue of not using the PIN along with the chip truly comes through in this response.  In my very humble opinion, the fact that Visa actually believes that pushing EMV without the PIN is just hysterical.  What is the point?  And this response actually confirms that I was correct in what I stated in my original post and is why I wrote the original post in the first place.  Given the current state of affairs, there is no business reason for EMV or contactless if PIN is not part of the equation.

But this incentive program does nothing to address the even larger issue that merchants and banks face which is the one of card not present fraud.  Card not present fraud is growing at a 20% to 35% clip depending on the survey you read from wherever in the world and comprises more than 50% of total card fraud.  If Visa really wanted to make a difference and give merchants and banks a reason to push for EMV and contactless adoption in the United States, they would gather the various stakeholders together in e-Commerce and come up with a common API that would allow EMV and contactless work online.  That would rein in card not present fraud and would truly create a business reason for investing in EMV and contactless capability.

As it is now, EMV and contactless are solutions looking for a problem.

13
Aug
11

A Carrot for Chip and PIN

On August 9, 2011, Visa USA announced an interesting program to give merchants a carrot to drive them to adopt dual-interface chip technology terminals that will accept EMV (aka Chip and PIN) as well as mobile payments using near field communication (NFC) also known as contactless cards and devices that can transmit card information via NFC.

The carrot Visa USA is offering merchants is a waiver on annual PCI compliance if merchants implement dual-interface chip technology terminals.  The criteria merchants must meet in order to obtain the waiver is:

  • At least 75% of the merchant’s transactions must originate from dual interface EMV chip-enabled terminals;
  • The merchant validated their compliance with the PCI DSS within the last 12 months with the merchant’s acquiring bank or the merchant filed a defined remediation plan with the merchant’s acquiring bank;
  • The merchant must have confirmed that they do not store sensitive information (i.e., track data, PIN, CVV) after completion of any transaction; and
  • Not involved in a breach situation.

The first requirement certainly drives the swap out of old terminals.  However, until banks start issuing the EMV and/or contactless cards in bulk, the investment by merchants in the dual-interface chip technology terminals is not going to happen.  What I am sure Visa USA is hoping is to get a large merchant like Wal-Mart, Best Buy or Target to buy into the program and therefore drive the issuers and banks to get on board.  Without a big box merchant, this program is pretty much dead on arrival.

The next two points are pretty much the same thing.  In order to be compliant with the PCI DSS, a merchant must prove that it is not storing sensitive credit card information.  The only reason I can see for the third point is, I am sure, to cover the “defined remediation plan” of the second point in the event that the gap found was related to storage of sensitive information.

The fourth and final point just makes complete sense.  If a merchant has been breached, they must have shown that they are PCI compliant before being allowed to be waived from a PCI assessment.

Is it a good idea to waive the annual PCI assessment for merchants all in the name of getting them to adopt a new technology? Particularly technologies that do not entirely solve the fraud issue with credit cards.  Yes, you heard me right.  EMV and contactless technologies do not entirely solve the fraud problem.  While they minimize fraud in the case of card present transactions, they do not even address fraud in card not present transactions.  And it is in card not present transactions where fraud is most prevalent.

So why the push for EMV and contactless cards?  That is a good question.  The proponents of EMV will tell you it is to curb fraudulent purchases.  However according the latest information I could find, while EMV is expected to drop card present fraud by 35% this year in Canada (the first full year they have EMV); card not present fraud is continuing to go up.  Based on statistics from a variety of sources, card not present fraud ranges anywhere from 40% to more than 60% of the total card fraud committed.

So, if EMV and contactless do little or nothing for the majority of fraud being committed, why the push for them?  That is a really good question.  And to tell you the truth, I have no idea why Visa USA is pushing this other than to make things consistent worldwide.  And from a standpoint of curtailing card present fraud, at less than 5% in 2009 (the last year statistics are available); there is certainly no ROI for EMV.  This is why EMV has not been rolled out in the US.  There is no payback if banks and merchants invest in EMV.

But then you have contactless cards.  Contactless cards rely on near field communications (NFC).  NFC is made possible by radio frequency identification (RFID).  Like the magnetic stripe, the RFID in a contactless card only has the PIN block encrypted.  Numerous proofs of concept attacks have been documented against these contactless cards.  The bad news for cardholders is that unlike EMV and regular credit cards, a contactless card can be skimmed without their knowledge or even suspicion.  The only way the consumer knows their contactless card has been skimmed is when they get their statement and see the fraudulent charges.

But the really stupid thing about EMV and contactless cards is that until every merchant has the ability to process them, they will continue to have to have a magnetic stripe.  This is particularly true for automated teller machines (ATM).  Even in Europe where EMV is the only type of card available, ATMs still require a magnetic stripe.  This would hold true for the US as well since even the major banks cannot afford to change out the card readers in all of their ATMs to support EMV and contactless.  As a result, any transition to these new cards will be a very long time coming.

That is not to say that EMV or even contactless could not take a significant bite out of card not present fraud.  While the hardware for the cards exists for PCs, the problem is that such a solution would require a standard application program interface (API) which the card brands, banks, payment processors and merchants have done nothing to create.  Over the years there have been a number solutions proposed by banks and card brands, but nothing that was adopted by everyone.  As a result, instead of fixing the problem, everyone just accepts it.

The bottom line appears to be that Visa USA is pushing high technology as a solution for card present fraud that just does not address the real problem.  However, I guess it is better to appear like you are doing something rather than not doing anything.

Relevant reading:

Chip And PIN

The Chip And PIN Debate – Part 1

 PCI SSC Nixes PA-DSS Certification For Mobile Payments Applications For A While

12
Feb
11

More On Mobile Payments

As I have found out, the definition of “mobile payment” is defined by to whom you are talking.  For consumers, mobile payment means using their smartphone to pay for goods and services.  For merchants it includes the consumer definition as well as using smartphones or similar mobile devices to process payments.

Last year I wrote a post regarding mobile payments and the use of smartphones, primarily the iPhone, for use as credit card terminals.  When I wrote that first post, Apple was running an advertisement for the iPhone that showed it being used to process a credit card payment with the ubiquitous tag line, “There’s an app for that.”  Shortly after that post, the advertisement dropped the iPhone as a credit card terminal.  I am not aware that the PCI SSC or any of the card brands complained about that advertisement, but I found it interesting that those images of it processing a credit card were removed particularly given that a number of security and privacy issues that were and still are being discussed regarding the iPhone.

That is not to say that iPhone credit card adapters have not continued to be developed.  It is just that they are nothing like the one shown in that original Apple advertisement.  The first one that I came into contact with was Verifone’s PAYware Mobile solution and the fact that it is PA-DSS certified.  Whoa!  In my previous post I talked about all of the issues with the iPhone that make it almost impossible to be PCI certified.  How did Verifone create a PA-DSS certified application on the iPhone?  What Verifone did was to create a digital back to the iPhone.  All of the operations that need to comply with the various PCI standards are done through the digital back, not the iPhone.  The iPhone is just used as a display.  In the event that a credit card will not swipe through the digital back, the customer must go to a standard register.  I have also been privy to a number of similar iPhone applications.  All of them avoid the iOS interfaces as iOS is the problem in achieving PCI compliance.

While iPhone is the “Big Kahuna” of smartphones, it does not mean that Android and Windows Phone devices are not also used for credit card payments.  Unfortunately like the iPhone, Android and Windows Phone devices have similar issues that make them difficult, if not impossible; to have PA-DSS certified applications.  So from a merchant perspective, iPhone, Android and Windows Phone all have to be treated very carefully when they are used to process credit card payments.

But security concerns have not stopped merchants from rolling out mobile payments.  Starbucks recently introduced an iPhone and Android application that allows the customer to put their Starbucks cash card on their phone.  The application creates a 2D bar code with the cash card’s number.  The Starbucks POS system reads the bar code and automatically deducts the purchase from the account’s balance.  Within a week of releasing the application, it was determined that if you take a picture of the screen containing the bar code, anyone with the bar code can use the account until it cannot pay for a purchase.  So much for secure mobile payments.

If we expect to secure payments, the traditional credit card is just not going to get the job done.  EMV, aka Chip and PIN, is a short term technological fix but also a back up payment method for where I think we are really headed.  I truly believe that the future in payments is smartphones and other mobile devices with software that generate one-time transaction codes for paying for goods and services.  Whether those codes are displayed as a 15/16-digit number or bar code on a screen or transmitted via Wi-Fi, Bluetooth or RFID, a consumer will not need a traditional credit card.  A 15 or 16 digit number will be necessary to use so that POS systems do not have to be re-engineered to support the new payment method.  Scanners are already capable of reading bar codes from smartphone screens, so that much of the solution is already in place.  Wi-Fi, Bluetooth and RFID technology is coming as we speak so it is only a short matter of time before the infrastructure is in place to support such a solution.  All that is needed is the software.

Such an approach not only will secure card present transactions, but would also tackle the security issues we face with card not present transactions.  If done right, mobile payments can become the solution to our PCI compliance problem.

10
Nov
10

There Are No ‘Silver Bullets’

For the last time, there are no single ‘silver bullet’ solutions to perfectly securing cardholder data and their related transaction flows.  As my blog shows, I get comments from all sorts of people saying otherwise.  However, whether you are talking about Chip and PIN, end-to-end encryption, data encryption or tokenization, none of these technologies offer the complete solution to stopping credit card fraud.

Chip and PIN

Chip and PIN was developed to address the problem of face-to-face transaction fraud.  It does not solve the problem of cardholder data being breached in back office systems where most breaches take place.  The attackers know that somewhere in the transaction flow process, someone has to have the cardholder data.  Chip and PIN does not address the back office and never will.  It is not that Chip and PIN is a bad idea, it is the fact that implementing Chip and PIN does not, in and of itself, solve the issues faced with breaches.

End-To-End Encryption

End-to-end encryption requires that each end uses the same encryption process.  So the first problem is that each acquiring bank or service provider will likely have their own particular implementation of end-to-end encryption meaning that interoperability will not exist.  So those merchants with multiple processors will likely have problems with end-to-end encryption unless they use separate systems.  However, that is minor compared to the next issue.  The other problem is that there are a lot of ISOs and service providers in the transaction flow that require access to the transaction making end-to-end encryption not quite as easy as one might think.  However, the biggest problem with end-to-end encryption is that it only protects the cardholder data from one endpoint to the other endpoint.  It does nothing about protecting the endpoints themselves or the environment outside of the endpoints.  As a result, the endpoints and the environments outside the endpoints become the targets.  While the endpoint at the processor or acquiring bank is likely fairly well protected, the endpoint at the merchant is probably the weak link and therefore the merchant is still the target.  The most likely target here is doctoring the card terminals or POS software so that the attacker can gain access to the cardholder data before it hits the encryption process.  End-to-end encryption does nothing to prevent the tampering of the endpoints.  As with Chip and PIN, end-to-end encryption only addresses a part of the problem.

Data Encryption

Data encryption is great for protecting the data when it is stored as well as when it is in transit.  However, unlike end-to-end encryption, under data encryption when data is in transit there are multiple points where the data is decrypted and encrypted as it moves through the authorization and payment processes.  Any one of these points could be compromised and the data encryption defeated.  Cardholder data that is stored encrypted still has the threat of being compromised either at the point it is encrypted or if the encryption key be compromised.  If data is only encrypted during transmission or if it is only encrypted when stored, the data is susceptible to compromise wherever it is not protected.  As with end-to-end encryption, data encryption can solve a portion of the problem, but not the entire problem.

Tokenization

Tokenization is the act of creating a value, the ‘token’, and using the token as a way to reference the actual cardholder data.  Tokenization is great for merchants because it allows them to keep their old systems running unmodified by having the system believe it is getting back the PAN when in fact it is just a token.  However, the cardholder data still has to be transmitted in order for a token to be generated, so the merchant is still not out of scope.  Worse yet, if the transmission is not protected, then the data stream is susceptible to compromise.  As with all of our other solutions, tokenization is also not a complete solution.

The bottom line is that none of these technologies individually is the answer to our security issues with cardholder data.  However, if they are used together, they can provide a formidable defense against compromise.  But why is that?  As with all good security solutions, it involves defense in depth.  Since there is no single, ‘silver bullet’ that can solve the problem, we have to look at multiple solutions that, when put together, create a defense in depth approach to provide as much security as possible.

By using Chip and PIN in conjunction with end-to-end encryption, data encryption and tokenization, we create a gauntlet of protection.  However, as I always like to remind people, security is not perfect and even this solution is not a ‘silver bullet’.  There are controls and monitoring required ensuring that endpoints remain secure, encryption keys are protected and that endpoints are not tampered with.  However, such an approach would go a long way to minimizing the threat of compromises.

12
Sep
10

What Happens Once Merchants Get Rid Of Cardholder Data?

I started thinking about this a couple of months ago.  I think this is one of the problems we have in our industry as well as society as a whole.  We do not take the time to think about what our actions might result in.  If we did, we might not continue to end up with ever larger problems.

There appears to be this belief that once merchants get rid of cardholder data, life will be so much better and safer.  But is that really what will happen?  What does happen once merchants get rid of cardholder data?  Do the clouds part?  Is there sunshine forever?

Granted this is all my suppositions, but I think it probably fairly portrays what will happen once cardholder data is out of merchants’ systems.

Merchants have been led to believe that attackers will have to move their target to where the data will have moved which would be service providers, processors and acquiring banks.  But merchants are not out of the woods once they no longer store cardholder data.  In their efforts to get to the service providers, processors and acquiring banks, the attackers will take whatever route they have to in order to achieve their objective.  Merchants may no longer store cardholder data, but they will transmit it and possibly still process it.

Merchants have to connect to service providers, processors and/or acquiring banks, so they are still part of the transmission of cardholder data.  As security professionals like to say, “Security is only as good as its weakest link.”  Where is the weakest link?  Unfortunately, it will be merchants.  Even though they no longer store cardholder data, they are still a target and will need to continue investing in security so that they protect their business partners.  If you think it was tough selling merchants on securing cardholder data, imagine selling them on securing their business partners after they stop storing cardholder data.

Since merchants will still come in contact with credit cards in order to obtain payment, they will need something like end-to-end encryption or other security measures so that when a customer pays with their credit card, the connection between the card and the processor is secured.  That now makes the credit card terminal or the integrated POS workstation the prime target to intercept cardholder data.  Therefore, criminals will move their focus to supplying merchants or their equipment suppliers with doctored terminals or integrated POS software to intercept cardholder data.  There have already been documented incidents of this happening, so one has to assume that these sorts of incidents will just increase in occurrence.

Chip and PIN can resolve some of this, but as some security researchers recently showed, Chip and PIN can also bring a new set of problems.  Everyone looked at this exploit as too difficult to pull off.  However, if you truly read the researchers’ report, you see that it would only take the doctoring of a terminal to execute.  But the PCI SSC says that terminals are “dumb.”  Yet a lot of the terminals being used these days have the processing capability of a netbook.

To exacerbate the situation with the terminal, you have the problem of what to do when the terminal cannot connect to the service provider, processor or acquiring bank.  Even in this age of high network availability, there will always be the occasional incidence of the knocked over utility pole or network failure.  In these instances there has to be a way to conduct the transaction as merchants are not going to deny sales because the network is down.  There are a couple of ways to deal with this situation.  The first is to fall back to the good old “knuckle-buster” and paper forms.  You then need to deal with the security of the forms, but that can usually be handled the same as how a merchant secures their cash.

The second option is to put a form of intelligence in the terminal or integrated POS solution to conduct the transaction without the network.  However, this involves the temporary storage of the cardholder data in the device until the network is available.  Where this typically goes wrong is that the device does not properly clear the data once it has been transmitted.  Most people would say, “So what?  The attackers would have to know when the network was down.”  True.  But what if the attackers doctored the terminal or POS software and periodically just didn’t allow a certain number of transactions process?  Do you think people would notice?  They would probably write it off as the technology just acting up.

In the end, merchants are only a little better off than when they stored cardholder data.  Until a new system is developed, we need to mitigate the risks of the existing system.  That is what the PCI standards are all about.  They were developed to mitigate the risks presented by the current credit card processing system.  They are not perfect, but they do reduce the risks to an acceptable level if they are followed.

17
Aug
10

The Chip And PIN Debate – Part 3

In my last post I discussed the statistics surrounding the adoption of Chip and PIN.  In this post I want to go back and discuss the issues from my old post regarding security risks regarding Chip and PIN.

In my original post I discussed a number of shortcomings regarding EMV.  A lot of those issues were taken from old sources as well as some that were questionable.  I apologize for the misleading information in some cases.  However, the reason I included a number of these old issues was that they still can be an issue to the EMV card as not every financial institution has necessarily converted their entire card base to newer EMV standards.  I know this to be true because one of my clients manufactures EMV cards and they continue to produce cards to older standards.

EMV, like any other security method, is not perfect.  So what are the viable issues?  Here is my take on the security issues for EMV.

Man-In-The-Middle Attack
At the IEEE conference in February 2010 a number of researchers from the University of Cambridge presented a paper on a man-in-the-middle attack where they used somewhat expensive equipment to build hardware and software that essentially intercepted the communications between the EMV card and the terminal to fool both into believing that a transaction has been properly completed.  After this paper was presented there was a flurry of newspaper articles about the problem hyping it as the reason why EMV is a “false prophet.”  A few days later, a number of articles came out dismissing the research as bunk because of the expense and complexity of the equipment.

However, the flaw that these researchers found is more exploitable than most people think.  Terminals are more sophisticated that most people give them credit.  Today’s terminals are not the “dumb” devices of yesteryear.  Today’s terminals are like netbooks in disguise and run embedded Linux or Windows.  Vendors provide software development kits with these new generation terminals for the development of sophisticated solutions for processing credit cards, giving loyalty rewards and other merchant friendly purposes.  And after four years, it appears that the PCI SSC has recognized the threat from these new terminals and is modifying the PA-DSS to include them in the certification process.

I have personally been involved with a client that had their terminals tampered with by a gang to store cardholder data on USB drives embedded in the terminals.  These terminals were swapped for legitimate terminals by gang members posing as the night cleaning or the stock crew.  Then there is the Hannaford breach.  While we know that it was malware installed on the POS servers at each store, there has never been an official explanation given as to how the malware got on those servers.  Most people just assumed that the hackers somehow compromised Hannaford’s network and placed it on all of their servers.  But the rumor I heard was that the Hannaford breach was the result of tampering with their master ghost image for their POS server.  Hannaford had updated their POS hardware and software as part of their PCI remediation efforts (how is that for a real piece of irony) and had hired a third party to provide the additional resources necessary to ghost the new servers.

The bottom line is that there is ample evidence that data gathering at the source is a real threat.  Given the sophistication of terminals these days and the likelihood that they and POS software can readily be tampered with, the ability for a successful man-in-the-middle attack is higher than most people believe or want to believe.  As a result, it is not too farfetched that tampered with terminals or POS software could be created and distributed to unsuspecting merchants by unwitting or unscrupulous vendors and/or resellers.

Card Cloning
In May 2010, Lloyds-TSB admitted that a number of their customers had been the victims of card cloning.  Apparently, this is not your run-of-the-mill amateur cloning operation, as these cloners are cloning everything and determining the cards’ PIN.

It is not difficult to skim the magnetic stripe on an EMV card as most of them have a stripe so that they can be used in non-EMV situations.  Now a lot of you are probably wondering how the bad guys got the cards’ PINs.  It is just a simple use of a rainbow table to break the encrypted PIN block.  The problem with the current PIN block encryption specification is that it is published.  And though you might think that PIN encryption would be tough to beat, banks usually only change their private keys annually so if you have a card from a target bank, you can figure out the private key by using the information from a known card.  As a result, it is not difficult to generate the necessary rainbow table(s) to quickly crack PIN blocks.

Once cloned, the cards are used at ATMs around the world to obtain the victims cash.  Why ATMs?  Turns out that almost all ATMs, even those in Europe, still rely on a card’s magnetic stripe to conduct withdrawals not the chip.  To add insult to injury, it turns out that Lloyds-TSB’s and most other banks’ fraud detection systems ignore ATM withdrawals.  And because ATM transactions from foreign ATMs took anywhere from a week to a month to show up on customers’ statements, it usually was quite a while before the customer contacted the bank to dispute the transactions.

So until EMV is the configuration all over the world, the magnetic stripe is the weak link in the chain.

Card Theft

This is still a problem even with EMV.  The bad guys have taken a tip from the long distance telephone scammers of the late 1980s playbook.  It was that brief time before today’s truly portable cell phones and people relied on long distance calling cards.  I can personally remember at Newark Airport, the terminal had scammers shoulder surfing people as they made calls writing down the calling card numbers as they keyed them into the phones.

What today’s EMV scammer does is electronically shoulder surf at ATMs and merchants and then lifts the victims’ wallet or purse.  They then quickly conduct as many fraudulent transactions as possible before the victim can notify their bank of the stolen card.

Granted, this is not a great way to make a living, but properly done, one can make a living.  With the new PCI PTS standard, even electronic shoulder surfing the PIN should be more difficult, but not necessarily impossible.  And with the prevalence of video monitoring everywhere these days, the chance of obtaining footage containing recordings of people entering their PINs is even greater.  So your new targets of hackers may be the DVRs that contain that footage.

Reverse Engineering Attack

This attack is a prime example of why some things should never be published on the Internet for everyone to see.

This is an attack that is developed by a person using their own credit cards as testing devices.  Even in today’s economy, banks issue credit cards to almost anyone that applies as long as their credit score is good.  Therefore it is not impossible to believe that someone would use their existing credit cards to reverse engineer keys.

First and foremost, all of the documentation is available on-line for anyone to see so the attacker has a readily available instruction manual for reverse engineering the standards.  All of the hardware and software development kits are readily available and in some cases can be obtained for little or no cost from vendors or through eBay.  If you think this is farfetched, remember that at this year’s Black Hat a guy explained how he learned to hack ATMs by buying them through eBay and other sources.  As I discussed earlier, what makes these attacks possible is that the private keys the banks use in their encryption do not change very often.  At most they change once per year, possibly even less than that.  As a result, anyone that desires can use off-the-shelf software to monitor the network and capture the traffic when the card authenticates.  From that traffic, the private key can be determined and then any card from a particular bank can then be easily cloned.

I am sure there are other attack vectors waiting to be discovered by some ingenious attacker.  I only wish I had the free time to look into this topic further, but that is for the attackers who have such free time.  But this is not to say that EMV would not bring something to the security table.  However, the bottom line is that there are risks with EMV and it is not the panacea that its proponents like to portray.  It has known and unknown flaws just like any other piece of technology.  So, let us all admit that fact and move forward.

UPDATE:  Here are some more links to other information regarding issues with Chip and PIN and explanations of the above threats.

http://blog.itsecurityexpert.co.uk/2010/02/chip-pin-weakness-smoke-screen-for-real.html

http://blogs.techrepublic.com.com/security/?p=3153




Announcements

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

Calendar

April 2014
M T W T F S S
« Mar    
 123456
78910111213
14151617181920
21222324252627
282930  

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 834 other followers


Follow

Get every new post delivered to your Inbox.

Join 834 other followers