Chip and PIN compatibility leads to insecurity

Credit card with ChipOver the last few years, banks have been rolling out their new, chip-based payment cards which follow the EMV (Eurocard, Mastercard and Visa) standard to improve the security of card-based payment processing.

In theory, the intelligence of a semiconductor chip should be able to defeat many of the card skimming attacks that were possible with the classic magnetic stripe technology of the older chip-less cards.

A brief look at the back side of the new cards reveals, however, that the magnetic stripe is still present. Apparently it is still necessary to maintain backwards-compatibility with card reader devices that don’t support the new technology yet.

In 2006, Cambridge researchers showed that the PIN may be grabbed in clear text by an interception device that eavesdrops the communication between a Point Of Sale (POS) terminal and the chip.

This offline verification is specified for POS terminals only, and not for ATMs. With the latter, the cardholder identity (including PIN) will always be verified online against a central bank computer, and the PIN consequently doesn’t pass the interception device.

Since then, new chip generations have been introduced that support an encrypted communication between reader and card, preventing eavesdropping of the PIN. Cards with Dynamic Data Authentication (DDA) or its sibling, Combined Data Authentication (CDA), come with a crypto chip of their own. DDA and CDA cards are not yet widespread, though.

Chip and PIN skimmerBut as researchers demonstrated at this year’s CanSecWest security conference, it is possible for an interception device to convince the POS terminal or ATM into transmitting the PIN in clear text to the chip.

This worked with all tested terminals (including ATMs) and all card generations. Apparently, all terminals still accept a compatibility mode for older chips with offline verification.

With the more secure DDA or CDA chips, this mode might result in one failed PIN verification process, as these chips would not accept the clear text PIN verification protocol. Most users would simply take this for an erroneous PIN entry, and try again.

The researchers presented a super-flat interception board that an attacker can insert in the card slot of an ATM. The board is hidden so well inside the slot that it is totally invisible to any customer.

What’s even cheekier is that it is powered by the regular ATM card reader device. So when a bank client inserts her card into the ATM slot, it actually communicates with the interceptor rather than with the card reader.

Still, it is necessary for a successful attack to get hold of the card or some essential information from it. Of course, card theft is the most obvious option.

Magnetic stripe skimming only works if the card is not yet protected with a so-called iCVV code. This is an additional property that lets the card issuer detect abuse cases. This feature is not yet supported by all existing payment cards.

It is even possible to read sufficient application data right from the chip and perform card-not-present transactions on web portals that do not require the entry of any additional card security codes (like CVV numbers on the back of the card).

Many websites like this are still out there, and this drives a booming black market for such data.

As demonstrated in these cases, backward-compatibility voids the security progress achieved by more advanced technologies.

ATM with Blue screen of deathThis reminds me of last year’s hassle with the introduction of a new generation of EMV payment cards in Germany, where the chip did not work correctly due to a firmware glitch, so that withdrawals at ATMs were no longer possible. The workaround that helped in many cases was covering the chip contacts with sticky tape, hence forcing authentication back into magnetic stripe mode.

Yet, in this recent case, backwards compatibility could be enforced in situations where it wasn’t even necessary, i.e. the offline mode in ATMs. This needs to be fixed as soon as possible.

What is an even bigger concern here is the fact that card issuers attempt to shift liability for card abuse onto their customers. With the introduction of the new technology, card issuers will implicitly assume that the cardholders’ negligence is to blame and shift the burden of proof to them, even though the technology is obviously still flawed.

So what recommendation can we give you in this case? Probably none that will help you individually. It is important to raise public awareness about the flaws and pressure on the card issuers to fix them. With sufficient public pressure it will become more difficult for the issuers to blame their customers by default in cases of abuse. And this is essential when it comes to trial.

Creative Commons image of ATM with BSOD courtesy of hashashin’s Flickr photostream.