Tuesday, February 16, 2010

Chip and PIN: The technology is no

longer secure

Date: February 16th, 2010

Author: Michael Kassner

Chip and PIN transaction systems were thought to be secure. The only way to bypass the technology required a stolen card and knowing the PIN. That is no longer the case.

I first learned about Chip and PIN Security when writing a piece about counterfeit credit/debit cards. The point of the article was to shed light on how cybercriminals steal financial information and ultimately our money. I presented a technology called MagnePrint as one possible solution. Several TechRepublic members mentioned another technology that they thought was better called chip and PIN.

Chip and PIN Security

Chip and PIN systems were created to prevent skimming. Replacing the magnetic strip with an embedded microchip supposedly eliminates that possibility. In fact, many consider chip and PIN security a strong two-factor authentication.

Several members also mentioned that chip and PIN technology is prevalent in Europe and why cybercriminals are more focused on stealing credit/debit card information in the United States. This article goes far enough to say that adoption of Chip and PIN technology in the United States is inevitable for that very reason.

How it works

Customers do not see much difference when using a chipped card. It works like this:

1. At the checkout counter, a customer places his or her card in a Pin Entry Device (PED).

2. The PED accesses the chip on the card.

3. The card is then verified by the financial institution providing the card.

4. Once the card is proven authentic, the customer enters the PIN.

5. The PED verifies that the entered PIN matches the PIN cached on the chip.

6. If it is a match, the transaction goes through.

So, what’s the problem? Quite simply, it’s the cost. The article mentions that:

“The card issuers cite the enormous cost of rolling out chip and PIN technology, estimated to be around $5.5 billion, and they rest safe in the knowledge that it is the merchants in the U.S., and not the card issuers, who are responsible for the financial costs of credit card fraud.”

Not quite perfect

I have been studying chip and PIN technology for awhile now. It obviously makes it more difficult to obtain a person’s financial information. But, it’s not perfect. My first inkling of this came from watching the BBC news report Chip and PIN ‘security risk’.

Basically, the PEN hardware is compromised, allowing the criminal to obtain the card’s financial information and PIN digitally. For whatever reason, the transaction traffic to and from the PEN was not encrypted. Still the PEN has to be physically altered for this attack to work, making it a risky endeavor.

New flaw

The same University of Cambridge research team that uncovered the PEN hardware flaw recently discovered a new problem with chip and PIN technology. Professor Ross Anderson, a member of the team points out the seriousness:

“We think this is one of the biggest flaws that we’ve uncovered - that has ever been uncovered - against payment systems, and I’ve been in this business for 25 years.”

Susan Watts of the BBC, presented a documentary (http://www.bbc.co.uk/blogs/newsnight/susanwatts/2010/02/new_flaws_in_chip_and_pin_syst.html) about the research called New flaws in chip and PIN systems revealed. Unbelievably, a transaction can be completed without knowing the PIN. To explain, let’s step through the attack process:

1. The attacker obtains a stolen credit/debit card.

2. Next, the stolen card is inserted into the attacker’s card reader which is connected to a notebook.

a. Also connected to the notebook, is some hardware that interfaces with a fake card via a cable.

3. The criminal starts the payment process by inserting the fake card into the store’s PEN.

4. The PEN accesses the chip to verify the card’s authenticity.

5. Next, the PEN asks the attacker for the PIN via the display screen.

6. The criminal enters any 4 numbers, it doesn’t matter.

7. The software/hardware developed by the researchers then somehow fools the PEN into believing the correct PIN was entered and a signature authorized the purchase.

If you get a chance, watch the video in the documentary. It shows a simulated transaction and the Cambridge researchers explain how they accomplished the attack. The following illustration and picture depicts the equipment used to implement the attack (courtesy of the University of Cambridge research team): http://www.bbc.co.uk/blogs/newsnight/susanwatts/2010/02/new_flaws_in_chip_and_pin_syst.html

If I understand correctly, the PIN exchange only involves the card’s chip and the PEN. That information was leveraged by the researchers to create a Man-in-the-Middle attack. The research team’s paper Chip and PIN is broken (pdf) mentions:

“A man-in-the-middle device, which can intercept and modify the communications between card and terminal (PEN), can trick the terminal into believing that PIN verification succeeded without actually sending the PIN to the card.

A dummy PIN must be entered, but the attack allows anyone to be accepted. The card will then believe that the terminal did not support PIN verification, and has either skipped cardholder verification or used a signature instead. Because the dummy PIN is never sent to the card, the PIN retry counter is not altered.”

What’s next

One of the reasons I have been following chip and PIN technology, is to see if and when it will be adopted in the United States. I asked Professor Anderson about this and his response was:

“I’ll be talking about EMV (chip and PIN standard) at the Federal Reserve Bank’s conference in New York on April 1st. I’ll be arguing the Fed should insist that the EMV specification be
fixed before they allow its introduction in the United States.

The vendors are keen enough to sell the technology in the USA, where the card payment market is worth billions. If the result is a much improved EMV 5.0, then it will presumably come here to Europe in due course.”

One other area of concern that I found interesting is the transition credit/debit card. If the chip and PIN system gains traction, not every merchant will have the correct PED immediately. According to the researcher team’s report, this opens another attack avenue.

If the chip and PIN card includes a magnetic strip as a fall back method for making purchases, the card can still be cloned and the information may remain valid when that person obtains the official chip and PIN card.

Final thoughts

I am not sure where I read this, but it has a lot of “street cred”:

“The whole purpose behind security is to make it more difficult so thieves will go somewhere else as well as eliminating amateurs. Still no matter what you develop, there’s going to be someone who’s going to find a way around it.”

Michael Kassner has been involved with with IT for over 30 years. Currently a systems administrator for an international corporation and security consultant with MKassner Net. Read his profile or Twitter at MKassnerNet.