In an address to the CanSecWest security conference this week, Inverse Path, a security research company claimed that “Chip and PIN is definitely broken”.
This followed-up on concerns previously raised by Cambridge University that the international EMV standards that govern credit and debit chip card payments are flawed, which we commented on in this blog last year.
The research conducted by Inverse Path involves using a skimmer device covertly fitted to the chip card reader on a payment device to read and potentially manipulate the data exchanged between the card and the payment terminal.
Some of the key points of Inverse Path’s analysis include:
An EMV skimmer device can be used to read the card number from the chip card. However, this information can only be used to create cloned magnetic-stripe cards or for fraudulent “Customer Not Present” transactions (e.g. credit card purchases over the internet).
As the researchers acknowledge, in the former case, this only works if the card issuer has not implemented iCVV (which has been specified by the card schemes for several years) and in the latter case, many card issuers support the 3-D Secure (“MasterCard Secure Code” or “Verified by Visa” schemes) which require a customer’s password to be entered to authenticate the payment, and merchants’ websites should also support this (if the website doesn’t implement this then they may be liable for any fraudulent transactions). There are already industry processes in place to protect against these types of fraud – if they are not implemented then it is the actions of the card issuers that are at fault, and not the EMV standards that are broken – and the same (or better) data could be obtained from a magnetic-stripe skimmer anyway (which are much more prevalent, particularly at outdoor ATM cash dispensers).
An EMV skimmer device could potentially manipulate the data exchanges to enable the PIN of the card to be extracted, by forcing the terminal to use the “Plaintext PIN” cardholder verification method.
This method will not work at ATM devices because they only support online PIN, and so it would be limited to Unattended Payment Terminals and in-store Point-of-Sale devices. This detected PIN could potentially be used if the card is subsequently stolen – although this is no different to the risk posed by covert cameras that criminals have tried fitting to ATMs – and will only have limited impact because once the card has been reported stolen the banks will decline all transaction requests and can also send an issuer script command that will block the EMV application on the card and prevent any further use.
Can these techniques be used to create cloned EMV “Chip and PIN” cards?
The answer is no. This is because an EMV card uses secret keys to generate a unique cryptogram for every transaction, which the bank verifies during the authorisation process, and any manipulation of the data exchanges containing the CVM list will also cause the terminal’s Data Authentication process to fail.
Failure of either of these checks will almost certainly cause the card or the authorisation host to decline the transaction or require a “voice referral” (where the bank will require additional checks to be carried out to authenticate the customer). Contrary to the report’s claims, it is not just the Action Code settings that are used to make this decision. Banks and cards normally perform their own risk analysis in addition to the checks that EMV requires the payment terminal to perform.
Although the potential for such fraud is still limited to non-EMV transactions (which already have defined measures to combat this fraud) and stolen cards, there are still steps that could be taken to eliminate even these potential risks.
Solutions to eliminate potential risks
One of the obvious loopholes that could be closed would be to phase out the use of EMV “Plaintext PIN”. All terminals that support “Plaintext PIN” are already required to support “Enciphered PIN” and, as EMVCo require all EMV kernels on terminals to be re-certified every 3 years, support for “Plaintext PIN” could be removed from the specifications and phased out within 3 years.
Of course, in advance of such a move all cards would have to support enciphered PIN as well, which would require slightly more expensive and complex chips on the cards, but the report also notes that Visa and MasterCard are mandating this for all new cards anyway. Therefore with a simple pronouncement and migration plan, the card schemes and EMVCo could eliminate this potential risk, without needing to radically change the EMV standards or implement the additional complexity of full encryption or “e-ink scrambled touchpad” verification that the Inverse Path report suggests are needed.