Presented at
Black Hat USA 2014,
Aug. 7, 2014, 9 a.m.
(60 minutes).
The USA is starting to introduce EMV, the Europay-Mastercard-Visa system for making payments using chip cards instead of the old mag strip variety. EMV is already in wide use in Europe, and has started to appear in countries from Canada to India.
In theory, smartcards should have reduced fraud by making bankcards much harder to copy and by enabling banks to authenticate users at the point of sale using PINs rather than signatures. The practice has been different. In Britain, for example, fraud first went up, then down, and is now headed upwards again. There have been many fascinating attacks, which I'll describe. The certification system wasn't fit for purpose, so terminals that were certified as tamper-resistant turned out not to be. We even saw Trojans inserted in the supply chain. A protocol flaw meant that a crook could use a stolen card without knowing the PIN; he could use a man-in-the-middle device to persuade the terminal that the card had accepted the PIN, while the card was told to do a signature-only transaction. Merchant refunds were not authenticated, so a crook could pretend to the bank that he was a merchant, and credit his card back after making a purchase.
The most recent series of attacks exploit the freshness mechanisms in the EMV protocol. To prevent transaction replay, the terminal generates an "unpredictable number" while the card supplies an "application transaction counter" or ATC that is supposed to increase monotonically and never repeat. Yet the unpredictable numbers often aren't (in many of the terminals we looked at, they seem to be just counters) while many banks don't bother to check the ATC, as writing code to deal with out-of-order offline transactions is too much bother. As a result, we've seen some interesting attacks where cardholders unlucky enough to shop at a dishonest merchant find themselves dunned for a lot of large transactions later. In fact these "preplay" attacks behave just like card cloning, and make all the fancy tamper-resistant electronics almost irrelevant.
At heart these are problems of governance and regulation. The vendors sell what they can get away with; the acquiring banks dump liability on merchants and card-issuing banks; they in turn dump it on the cardholder where they can; and the regulators just don't want to know as it's all too difficult. This wonderful system is now being rolled out at scale in the USA.
Presenters:
-
Ross Anderson
- Cambridge University
Ross Anderson was an inventor of API attacks on cryptographic processors, semi-invasive attacks on smartcards, distortion attacks on copyright marking systems and fast correlation attacks on various stream ciphers. On the constructive side of things, he was one of the inventors of the AES finalist block cipher, Serpent; of the steganographic file system; of soft tempest; and (via the Eternity Service) or peer-to-peer systems. On the academic front he pioneered the study of security economics, studying systems that fail because of misaligned incentives, and leads a project researching the psychology of deception. He wrote the definitive book 'Security Engineering A Guide to Building Dependable Distributed Systems.'
Links:
Similar Presentations: