There’s a push to adopt chip-equipped payment cards in the U.S. following high-profile breaches at large retailers and restaurant chains during the past 12 months, but experts warn that switching to this payment system will not make fraud disappear.
The EMV (Europay, MasterCard and Visa) standard is widely deployed around the world, and for the past 10 years or so it has been the de facto payment card system in Europe, where it’s also known as chip-and-PIN. The cards authenticate with ATMs and payment terminals using the combination of a customer PIN and information stored securely on an integrated circuit.
In order to drive EMV adoption in the U.S., the credit card brands plan to shift liability in October 2015, after which parties that haven’t deployed the system will be held liable for fraudulent transactions.
However, the EMV specification suffers from both regulatory and security issues, some of which have already been exploited in real-world attacks, according to Ross Anderson, a security engineering professor at Cambridge University with 25 years of experience in payment systems security.
During a talk on Thursday at the Black Hat security conference in Las Vegas, Anderson highlighted some of the attacks that are possible against existing EMV implementations. Banks have tried to downplay these as impractical or too complex for cybercriminals to launch, he said.
The “preplay” and “no PIN” attacks are two examples. In a “preplay,” a card inserted into a rogue payment terminal can be charged for a transaction that’s done with a fraudulent card at a terminal somewhere else in the world. In the “no PIN” attack, a criminal uses a stolen card that’s wired to a portable device with a rogue card inserted into it. That lets the attacker bypass PIN verification at POS (point-of-sale) terminals in order to authorize rogue transactions.
More recently, Anderson’s team at Cambridge discovered that many EMV-capable ATMs and payment terminals generate random numbers in a predictable manner. This allows someone with temporary access to a credit card, such as a waiter, to calculate authentication codes that then can be used for transactions in the future. Worse, a rogue or compromised POS terminal can generate authentication codes for a card inserted into it, and those codes can later be used to authorize additional rogue transactions.
Some of these attacks don’t stem from issues in the EMV standard itself, but rather from the poor implementation of it by payment terminal vendors, according to Anderson. Banks don’t have enough incentive to act, because liability for fraud shifts to the merchants if EMV is not used in a transaction and to consumers if EMV is used with the correct PIN number, he said.
That tendency to blame the card owner is based on the premise that since EMV cards—or rather their chips—cannot be cloned, if a fraudulent transaction is done with such a card and the correct PIN, the card owner has been negligent.
Whether U.S. banks will try to shift liability to consumers for PIN-authorized EMV transactions remains to be seen, as consumer protection in the U.S. is better than in Europe, Anderson said. EMV adoption in the U.S. will be an interesting experiment because some banks want to implement chip-and-PIN cards, while others favor a chip-and-signature model, Anderson said.
The EMV specification as it exists today is vastly complex, and vendors have made additions on top of it, which means that it’s easy to make mistakes when implementing it, Anderson said. Depending on how much attention you pay, you can design a secure system using EMV or an awful one, he said.
Lucas Zaichkowsky, an enterprise defense architect at AccessData whose previous jobs involved investigating credit card breaches and assessing compliance with payment card security standards, agreed with Anderson.
“People think that if we switch to EMV, these breaches will go away, but that’s not true,” said Zaichkowsky, who also held a presentation about POS system architecture and security at Black Hat. RAM-scraping malware can copy data from the card’s magnetic stripe if the payment system is not implemented correctly, and many banks don’t do it properly, he said.
That data, along with the PIN, can then be used to create counterfeit cards and used in countries that haven’t yet deployed EMV.
In addition, most EMV-enabled POS terminals support both chip cards and traditional magnetic stripe cards. When you attempt to swipe an EMV card, the payment terminal should refuse it and ask you to insert it in the smart card reader instead. That doesn’t always happen, according to Zaichkowsky.
As an example, he said that his credit card was swiped at a POS terminal in Italy because the cashier was used to U.S. cards not having chips, despite his card having one. There was no error and the transaction went through, he said.
Even if everyone in the world would switch to chip-enabled cards and traditional magnetic stripe ones would disappear, fraud would most likely shift from card-present transactions to card-not-present transactions, such as those done online or over the phone, he said.
Fraud statistics up to 2012 actually show that this has happened in Europe since the deployment of EMV, Anderson said.
With an EMV transaction, a compromised POS terminal can still get the credit card number and expiration date, Zaichkowsky said. There are many places where this is all you need to place an order, because they don’t ask for the three-digit security code or verify the billing address, he said.
This means that cybercriminals will continue to have an incentive to compromise POS terminals, even with widespread EMV deployment.
The sophisticated EMV attacks that Anderson and his team at Cambridge identified aren’t widely used yet, partly because criminals have easier ways to abuse EMV cards today. That’s because they’re currently designed to also work with ATMs and payment terminals in countries where the system is not deployed, such as the U.S. Information captured from the magnetic stripe of a chip-equipped card can be used to create a counterfeit copy that doesn’t have a chip. That cloned card cannot be used in Europe but works in the U.S., where the chip isn’t needed anyway.
The fewer places in the world where cybercriminals can use such cards, the harder it will be for them to steal money from them. That might lead criminals to start using EMV attacks like those described by Anderson.
One technology that has a much better chance of preventing attackers from stealing card data is end-to-end encryption from the card reader to the payment processor’s back-end systems, according to Zaichkowsky.
Security experts have recommended end-to-end, or point-to-point, encryption for card-present payments for years. Adoption has been slow because it requires replacing POS terminals with new ones that support the technology, a significant investment that most merchants were not prepared to make.
However, now that many of them will have to change their terminals anyway in order to support EMV, it would be better if they also took the opportunity to choose terminals that encrypt the card data at the reader, Zaichkowsky said.