Industry groups leap to Chip and PIN's defence
Despite research showing signs of terminal weakness
Analysis Banking industry suppliers have lined up to defend Chip and PIN, following the release of research last week from Cambridge University demonstrating how cybercrooks might be able to bypass security controls on credit and debit card transactions in shops.
A four man team from Cambridge University demonstrated how it might be possible to make "Verified by PIN" transactions using a stolen (but uncanceled) cards without knowing the correct PIN number. The man-in-the-middle works by tricking a card into thinking a chip-and-signature transaction is taking place while the terminal gets a signal that a correct PIN has been entered.
Would-be fraudsters would need to insert an electronic wedge between the stolen card and terminal, tricking the terminal into believing that the PIN was verified. The attack even works when the terminal is offline but isn't applicable to ATM machine cash withdrawals. It relies on the complexity and security security shortcomings of the EMV (Eurocard Mastercard Visa) standard for smartcard payments, a technology used by millions of credit and debit cards, mostly in Europe.
Cambridge University researchers demonstrated the attack on several cards during a news item on the BBC's Newsnight. The programme aired last Thursday, ahead of the planned publication of a paper (PDF draft here) at an IEEE conference in May.
Bank assurances shaken not stirred
Suppliers such as Thales and The Logic Group point out that Chip and PIN has been a success in driving down the levels of fraud in retail transactions, while acknowledging that plastic card fraud has been displaced to the internet and overseas ATM machines, rather than reduced, since the introduction of Chip and PIN.
While suppliers are keen to downplay the significance of the Cambridge team's research, other observers argue that it undermines the insistence of banks that any transactions authorised by a PIN must have been either made by a customer or the product of their negligence in keeping their cards and PIN numbers secure.
Jay Abbott, a security consultant at PricewaterhouseCoopers (PwC), commented: “At present, the customer is accountable for the fraud as banks argue that PIN verified transactions are secure. Given this attack demonstrates a clear method of bypassing the PIN system, this assertion by the banks stands on shakier ground.”
The Cambridge University team has developed a "very effective and simple way of exploiting weaknesses in the system," Abbott said. He added that even so, pulling the attack off in practice would be far from straightforward.
“A number of electronic components are involved that require concealment, therefore the fraudster must remain in contact with the card at all times", he explained. "A simple process change by the retailer of asking for the card holder to hand over the card would break the circuit, although this possibility can be eliminated if the card reader is fixed to a point on the other side of the counter."
“One of the motivations for introducing Chip and PIN in the first place was to give consumers extra protection by limiting the chance of a sales assistant being able to “skim” the card and duplicate it for fraudulent purposes. Also it is important to note that it only affects transactions where the fraudster visits the retailer in person and does not work online or on ATM transactions, where different forms of authentication are required," Abott added.
Sig sig sputnik
Steve Brunswick, strategy manager at Thales Information Systems Security, whose technology helps secure roughly 70 per cent of credit and debit card transactions worldwide, argues that Chip and PIN offers "proven benefits" not undermined by the Cambridge team's work.
“Cambridge University computer scientists’ discovery of a way to carry out transactions without knowing a card's PIN has hit the headlines; however consumers should not lose faith in credit card security," Brunswick said. "Chip and PIN is by far and away the most secure way of protecting payment transactions currently available."
Brunswick acknowledged that the Cambridge's team research "could be an important input to future revisions of card security technologies”, while arguing that the bigger problem is slow adoption in some parts of the world of improved payment security technologies such as Chip and PIN.
“No security system can claim to be completely bulletproof - there is always a three-way trade off between cost, ease of use and security and the industry is constantly looking for improvements. Consequently, the aim of security systems is not to make security unbreakable but to make it unprofitable for criminals to attempt to break it. The benefits of Chip and PIN are proven. Once the UK adopted Chip and PIN in 2003, losses on UK high street transactions reduced by 55 per cent by 2008. However, not all countries have followed suit and the US, for example, still uses magnetic stripe cards with signature verification."
"Verification by signature remains an option even for EMV cards, and it is the availability of this weaker security that has been exploited by the attack highlighted by Cambridge University", he added.
Gareth Wokes, chairman of secure payment specialist The Logic Group, struck a more combative pose, describing the Cambridge research as "alarmist" and "missing the point".
The Logic Group handles transactions across more than 250,000 points of sale (PoS) in the UK, the type of payment the Cambridge researchers argue has been left in the firing line of man-in-the-middle attacks. Wokes is dismissive of such concerns, arguing that banks and the payment industry have invested millions to fight fraud.
“I find the tone of this dumbed-down research alarmist. Fraudsters are always pushing the barriers and trying to find new ways to navigate security measures; it is not a static situation. And just as the fraudsters continue to innovate so too does the payment industry, which invests vast sums of money in continuous improvements to card payment security", Wokes said.
Wokes took particular exception to "Professor Anderson’s claim that the banks will have to re-write the software around the entire chip and PIN system also misses the point – they are constantly improving card payment security and will continue to do so as long as card fraud exists," Wokes said. "To position this as an overall failure of chip and PIN is also misleading and counter-productive to the industry’s efforts against fraud.
"A year after Chip and PIN was introduced, card fraud dropped by 48 per cent. The issue is that fraudsters then moved on to e-commerce fraud (where chip and PIN is irrelevant), which is why fraud figures subsequently began to increase again. It’s a constant battle to close down loopholes and the rules of engagement change month to month and even day to day," Wokes said. He cited the PCI DSS payment card industry standard for merchants as an example of industry efforts to improve transaction security.
Steven Murdoch, one of the four Cambridge University researchers who carried out the study, told El Reg that probably the best way of fixing the flaw in the credit card transaction process his team has identified would involve changing bank back-end systems.
"To fix this particular vulnerability, there does need to be a software change. It may only have to be at the banks, but it is possible that the terminals and/or cards would need to be upgraded too. We suggested a number of potential fixes in our paper, but have not heard which ones the banks are actually going to do," Murdoch explained.
The security researcher added that the security hole the Cambridge team has identified stems from the complex web of payment transaction and bank authorisation technologies that badly need untangling even before they are strengthened.
"The more general point we are making is that this flaw has existed for over ten years, and nobody has spotted it (unless criminals have done so, but kept it quiet). The main reason is that Chip & PIN is incredibly complicated, with thousands of pages of vague, ambiguous, and incomplete specifications," Murdoch explained.
"This latest vulnerability has not been the first flaw we have found in Chip & PIN and it is very likely there are others still to be found. So we are arguing that if the card payments system is going to be made secure, it needs to be redesigned using more robust security principles, and massively simplified," he added.
Sign of the times
One Reg reader raised a serious objection to how the attack might work in practice that we raised with the Cambridge team. The anonymous commentary asked how the transaction data would contain the digitally signed information the EMV chip calculates on basis of the PIN verification as, without that, it would be difficult to hold a cardholder responsible for a fraudulent transaction.
This does not present an obstacle to the attack, Murdoch explained in a detailed rebuttal (below).
In the existing EMV system there is no digital signature calculated over the result of PIN verification. With static data authentication (SDA) cards, there is a signature calculated over the card details (account number, expiry date etc...). With dynamic data authentication (DDA) cards, the same data is signed, and the card will also generate a signature over a random number sent to it by the terminal.
In neither case is the result of PIN verification included, because the signature generation and verification happens before the PIN has even been entered.
There is a message authentication code (MAC) calculated over various transaction-related data items, including the result of PIN verification. This cannot be checked by the terminal, but can be checked by the bank which issued the card. However, it seems that banks do not detect the inconsistency. The settlement logs, which come from the terminal, will show that the PIN has been verified successfully, when the attack we proposed is used. These logs are used for dispute resolution, so I think it is quite reasonable to conclude that the bank will have evidence which shows that the correct PIN was used, even if this is wrong.
In another disputed withdrawal case I dealt with, the bank presented the merchant receipts as evidence against the customer. Again, these will (incorrectly) show that the correct PIN was used, if our attack was used.
Enter the Matrix
Meanwhile other IT suppliers, such as UK-based GrIDure, are using the Cambridge research to tout the benefit of their technology as an alternative to PINs.
“This latest revelation about Chip and PIN cards has yet again called into question the confidence we can have in our banks and their attitude to our security," GrIDsure chief exec Stephen Howes said. "Consumers are being forced to use a system that has been shown to be broken, and ultimately it will be consumers who suffer."
"Banks must consider making a wholesale change to their approach to fraud," he concluded. ®