Is chip and PIN definitely broken? That’s the question posed in a recent report from researchers at Inverse Path and Aperturelabs. One of the report’s authors, Andrea Barisani, spoke with PYMNTS.com about the vulnerabilities of EMV and his ideas for a stronger security standard for the payments sector.
PYMNTS.com: At the CanSecWest security conference last month, you and your colleagues gave a presentation entitled “Chip & PIN is Definitely Broken.” What led your group to this conclusion?
ANDREA BARISANI: Numerous security researches have exposed the fact that the EMV standard is inadequate regarding protection of stolen cards, protection of card data and protection of PIN verification.
While all the vulnerabilities that have been found can be somehow individually addressed by changing the standard or performing specific backend checks we think they are a clear consequence of the EMV protocol being overly complex (we are talking about four books and hundreds of pages) and not well designed.
Our contribution, which shows that PIN interception can be always done via EMV skimmer despite the card configuration, is one last demonstration of this issue.
PYMNTS: Why is skimming so “extremely appealing” to fraudsters?
BARISANI: First because it allows interception of the public card data, which can be used on websites that perform weak security verification (no security code check).
People in the industry like to point out that websites that do not perform proper security checks are not strictly an EMV problem, and they are right in saying so. The problem lies with the fact that agreements between the banks and merchants still allow transactions not validated with all possible security verifications. However, despite not being an EMV issue, the end result is that this is a real threat that must be addressed.
Additionally, the PIN interception that is discussed in our research raises the threat of stolen cards (previously skimmed) being used in a completely legitimate way on POS and ATMs with the real PIN. A chip skimmer can have a form factor and installation procedure that would make it undetectable to the final customer or the merchant.
Related Articles
– The Time for EMV in the United States Is Now
PYMNTS: EMV has been slow to ignite in the U.S. market. In light of the findings in your report, do you believe U.S. consumers have been better off sticking with the magstripe?
BARISANI: No, the magstripe technology is obsolete and even less secure than the chip alternative. In fact, magstripe fallback in Europe is one of the reasons why cloned card can still be created. The problem is not the chip itself. The problem is taking advantage of all its security features, which is not what EMV does.
PYMNTS: What solutions do you recommend for the payments sector?
BARISANI: As security researchers, our preferred approach would be to design a new and simpler standard with security in mind right from the beginning and a proper peer review. However, this solution is almost certainly deemed unrealistic and financially inconvenient for financial institutions.
Alternatively, EMV can be “patched” to address all the vulnerabilities that have been raised. Most importantly, there is a large spectrum of checks that can be performed by the issuer on the backend to help detection of fraud.
It is clear from the Cambridge vulnerability (which allows usage of stolen cards without knowing the PIN) as well as other issues that banks could do a much better job in terms of proactive detection on the backend using all the available information sent by the card via the EMV standard as well as issuer specific data.
Last but not least, there is the problem of backwards compatibility, which is often used for bypassing security. For this reason, migration away from SDA cards to models with better security technology (DDA but preferably CDAcards) should be accomplished as soon as possible to allow removal of less secure verification methods support from the standard.
(In fact, we are aware of some banks patching the issue we raised as I am writing this email with the cost of breaking some backwards compatibility.)
In an ideal world, we think that the terminal itself can never be trusted (it is possible to install keypad skimmers on POS terminals and not only on ATMs), and that the PIN input/verification should remain confined on the card itself and not through an external device.
We also think that the authorized value and merchant name for the transaction should also be displayed on the card (to prevent relay attacks). For this reason, cards with integrated PIN keypad and display for showing transaction information are an appealing step forward.
Bio: Andrea Barisani is an internationally known security researcher. Since owning his first Commodore-64 he has never stopped studying new technologies, developing unconventional attack vectors and exploring what makes things tick…and break.
His experiences focus on large-scale infrastructure administration and defense, forensic analysis, penetration testing and software development, with more than 10 years of professional experience in security consulting.
Being an active member of the international Open Source and security community he contributed to several projects, books and open standards. He is now the founder and coordinator of the oCERT effort, the Open Source Computer Emergency Response Team.
He has been a speaker and trainer at BlackHat, CanSecWest, DEFCON, Hack In The Box, PacSec conferences among many others, speaking about TEMPEST attacks, SatNav hacking, 0-days, OS hardening and many other topics.
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More