EMV

EMV (Chip & [ Signature or PIN ] )

This is a chip added to make a card ‘smart’. The consumer has to use the card then provide the personal identification number (PIN) or signature.
 
For electronic and mobile transactions each EMV user has to insert the physical EMV charge card into a handheld reader (see CAP & DPA below) and enter the personal identification code (PIN). The reader displays a one-time password to validate the user’s identity. The user then has to enter that password on the merchant checkout page or an on line banking site. NC3 is simpler.

see http://www.SmartCardAlliance.org/pages/publications-emv-faq#q12

 
Weaknesses in both the EMV chip in the card and associated readers (ATMs POS etc) have been reported since at least early 2007.

April 2007

Some weaknesses / vulnerabilities in portable EMV readers were described in this article from The Register (Biting the hand that feeds IT).

February 2008

University of Cambridge Technical Report 711

January 2010

Chip&PIN or Chip&Signature? See why the difference is worth billions, even before EMV. “What we witnessed was truly a perverse form of competition. They competed on the basis of raising prices. What other industry do you know that gets away with that?” See the rest of the story at the New York Times.

February 2010

BBC report by Susan Watts on new chip & pin flaws. 2/11/2010 BBC news Flaws in chip and pin bank card security identified

EMVco made a response to the February 2010 paper which says, in part, “It is EMVCo’s view that when the full payment process is taken into account, suitable countermeasures to the attack described in the recent Cambridge Report are already available.”

May 2010

At the IEEE Symposium on Security and Privacy, May 16-19, Oakland, CA, researchers from the University of Cambridge Computer Laboratory published another paper on problems with EMV. This was simply titled Chip and PIN is Broken (14 page PDF) This weakness was shown in the February 2010 BBC report linked above.

May 2011

As of May 2011 some 30 million Europeans [ http://www.SmartCardAlliance.org/articles/2011/05/05/smart-card-alliance-annual-conference-day-one-%E2%80%93-emv-and-the-united-states ] use EMV cards and readers for Internet transactions.

September 2012

University of Cambridge, Cloning EMV cards with the Pre-Play attack and an excellent BBC summary with video on that report. There was also an article titled Chip & Skim from security researcher Brian Krebs

February 2014

February 2014 PayPal’s CEO EMV-enabled card skimmed & cloned

The president of PayPal used an EMV-enabled card in a recent trip to the United Kingdom. According to David Marcus the card was “probably” skimmed at his hotel or at a merchant.
 
While there may be some element of reasonable skepticism as the CEO of PayPal has a vested interest in knocking EMV (loudly knocking too) for card-present transactions, links on this page have described how EMV is no panacea as well as being cumbersome for transactions other than card-present. See another link below from September 2012.
 
Re Marcus
http://www.usatoday.com/story/tech/2014/02/10/paypal-ceo-credit-card-hacked/5367979/
    and
http://www.dailymail.co.uk/news/article-2557766/PayPal-president-credit-card-skimmed-used-illegal-shopping-spree-trip-UK.html

January 2014

On how RAM scrapers enter the process

01/10/2014 http://threatpost.com/ram-scraper-malware-a-threat-to-point-of-sale-systems/103623

May 2014

End-to-End Encryption (E2EE) is sometimes mentioned as the last security element to make the EMV enabled process completely secure. The fallacy in that thinking is that the information from the chip enabled card and the personal identification number (PIN) are entered into a point-of-sale (POS) terminal. As demonstrated in the Target compromise those terminals can be infected with a RAM scraper and the information compromised prior to encryption.

Update to Chip-and-Skim
The September 2012 paper was significantly updated

However, our paper shows that Chip and PIN, as currently implemented, still has serious vulnerabilities, which might leave customers at risk of fraud. Previously we have shown how cards can be used without knowing the correct PIN, and that card details can be intercepted as a result of flawed tamper-protection. Our new paper shows that it is possible to create clone chip cards which normal bank procedures will not be able to distinguish from the real card. [ source: from the Computer Laboratory, University of Cambridge, UK (16 page PDF) presented at the 2014 IEEE Symposium on Security and Privacy in San Jose, California 5/19/2014. highlighting ours -ed ]

A related article by one of the authors.

Change in Presumption of Innocence An article in The Register (whose slogan is Biting the hand that feeds IT) is rather critical of chip-and-pin citing established weaknesses and some new ones referred to in the new paper Chip and Skim: cloning EMV cards with the pre-play attack (see link above)

In the article it is worth looking at the change in what we call presumption of innocence as it describes the case of a Mr Gambin, “who was refused a refund for a series of transactions that were billed to his card and which HSBC [ his bank ] claimed must have been made with his card and PIN at an ATM in Palma, Majorca on the 29th June 2011 [ sic ]. In such cases we advise the fraud victim to demand the transaction logs from the bank. In many cases the banks refuse, or even delete logs during the dispute process, leaving customers to argue about generalities.” [ The bank deleted the evidence that would have shown the fraud. highlighting ours, see right column page one of the 16 page PDF -ed ]

Zero Protection by EMV For Target an article by security researcher Brian Krebs on how zero Target victims would have been protected by EMV enabled cards

10/27/2014 EMV or not(EMV)?

A number of fraudulent charge card transactions came via a non-US country. Nothing new there. These charges were submitted through the payment network as chip-enabled transactions. New, but not really news. So what is the news? The cards used came from banks that “haven’t even yet begun sending customers chip-enabled cards.” (source)

Are the banks responsible for the fraud costs from these transactions? Was there a chip or not? In general, if the consumers use chip-enabled cards the bank is liable, but this? Another question: How did non-EMV cards generate EMV transactions that made it thru the payments networks at all? Initially the providers insisted the charges were made with physical cards with a chip. How can this be so if the bank hadn’t issued any? One possibility was the crooks had access to a payment terminal and modified the payment fields to make the transaction appear as though it was from a chip-enabled card when it was not.


CAP & DPA

EMV card readers for consumer use in electronic or mobile commerce are available in several designs. The MasterCard system is Chip Authentication Program (CAP) which adheres to the EMV specifications. The concept was used by Visa in their Dynamic Passcode Authentication (DPA) offering. Each consumer gets their own device and not all readers can be used at all banks. Some CAP-adherent devices work only for their issuing bank. So, if a consumer has two separate accounts, they could require two separate readers. The devices range in size from a rectangle only a little larger than a charge card to one that resembles a small calculator.

A subset of the CAP protocol was created by the Association for Payment Clearing Services (APACS), a United Kingdom coordinating group. If a provider’s CAP device was APACS compliant then the same device would work for another provider if they too were APACS compliant. In mid 2009 APACS was replaced by UK Payments Administration Ltd (UKPA). WikiPedia has more on CAP.

2/08/2015 EMV failure rate in US

A journalist, assured by his US-bank that his EMV-enabled cards would work overseas was unable to use it at a T-Mobile store in Hannover, Germany. At the Frankfurt airport the EMV-equipped card failed to purchase a “particularly interesting single malt Scotch whiskey” at the duty-free store. The POS terminal just said the chip was “invalid”. A manager at the Walmart store in Fairfax, Virginia watched a sales transaction fail for the third time. The POS message was “Canceled.” Read the rest of the article.

4/1/2015 Replay Attacks, pre-packed and ready for sale

“ … selling a fairly sophisticated software-as-a-service package to do just that. The seller, a hacker who reportedly specializes in selling skimming products to help thieves steal card data from ATMs and point-of-sale devices … offers to provide buyers with a list of U.S. financial institutions that have not fully or properly implemented systems for accepting and validating chip-card transactions.” (source)

7/20/2015 EMV weaknesses from BlackHat 2015

In his Overview of Contactless Payment Cards, Peter Fillmore reported

Identified flaws in EMV systems include:
   Ability to downgrade authorization method
   Insufficient replay prevention
   Lack of Man In The Middle protection
   No protection against relay attacks
   Insecure generation of random numbers
   Plaintext transmission of sensitive data.

Additionally EMV software used in commercial products has been shown to be vulnerable to basic logical attacks. [ citations were provided in the paper (9 page PDF) ]

A slide presentation (60 page PDF) titled Crash and Pay: Owning and Cloning Payment Devices reviews the basics of EMV transactions and attacks, the continues with descriptions of how to clone MasterCard-TypeA and Visa-TypeA cards. Also discussed is the impracticability of cloning the the actual cards, but the ability to clone transaction and re-play them (see slide 26). NFC is vulnerable too. (see slide 49) and that includes ApplePay.

9/29/2015 EMV criticized by NRF

With just a few days before the EMV conversion requirement …

…. the powerful National Retail Federation blasted banks and credit card companies on Tuesday for problems and costs with the massive ongoing U.S. rollout of computer chip cards and chip card readers.

Mallory Duncan, general counsel for the NRF, said computer chip cards will initially require customers to provide a signature, instead of a distinct PIN (personal identification number), which won’t eliminate online and phone fraud with a stolen or lost chip card.

He also said the financial burden — now in the tens of billions of dollars — of making the transition to chip card technology unfairly rests mainly with retailers, not banks and credit card providers. … Industry experts estimate there are 12 million payment terminals in the U.S., and Duncan estimated just 40% are upgraded so far. [ more at the source, highlighting ours – ed ]

see also the National Retail Federation (NRF) post asking Worth the expense?

10/08/2015 FBI warns on EMV

In a public service announcement (I-100815-PSA) the Federal Bureau of Investigation (FBI) warned “Although EMV cards will provide greater security than traditional magnetic strip cards, they are still vulnerable to fraud. EMV cards can be counterfeited using stolen card data obtained from the black market. Additionally, the data on the magnetic strip of an EMV card can still be stolen if the PoS terminal is infected with data-capturing malware. Further, the EMV chip will likely not stop stolen or counterfeit credit cards from being used for online or telephone purchases where the card is not physically seen by the merchant and where the EMV chip is not used to transmit transaction data.” [ PSA removed, see update below.-ed ]

Update 10/09/2015  FBI takes down PSA

The same day it posted I-100815-PSA about EMV the FBI was contacted by the American Bankers Association and the PSA was removed. More at Computerworld/Matt Hamblen. Here is the original PSA.

Update 10/13/2015  FBI posts revised PSA

Here is the revised PSA and here is the original PSA.

Update 10/14/2015  War of the Words

Just one day after the revised PSA was posted the National Retail Federation renewed its public display of unhappiness.

Mallory Duncan, general counsel for the National Retail Federation, characterized the revised FBI warning as ineffective in describing the need for PIN (Personal Identification Number) security.

He [Duncan] also accused U.S. banks of “trying to play fast and loose with security” because bank officials persuaded the FBI to alter the original message to drop some references to PINs.

The FBI’s message “has been watered down to the point of not being particularly helpful so that it’s … not much of a public service,” Duncan said in an interview. [ Source: Computerworld highlighting ours -ed ]

[ Considering that the PIN security features were bypassed academically in a paper presented in May 2010 (see also BBC video video from February 2010) and used by crooks in 2011 (reported in French research paper) at least 7,000 times, fixed in Europe, and maybe fixed in the US, maybe we need something better? – ed ]

10/19/2015  EMV was so broken

In February 2010 the BBC aired a segment showing Cambridge researchers bypassing EMV (with chip-and-PIN). The device required a portable computer hidden in a backpack. The paper was presented at IEEE a few months later. What took a portable computer five years ago was reduced to a single chip less than two years later.

A paper (20 page PDF) by French researchers describes how the academic research from 2010 was actually implemented and used in criminal activity as early as May 2011. The stolen credit cards were altered by implanting a second chip capable of spoofing the PIN verification required by point-of-sale terminals. While the specifics were not revealed the researchers report the specific weakness has been remedied, at least in Europe. But EMV was supposed to be … unassailable. For more see Wired…

[ Years before the 10/1/2015 EMV deadline we knew academics had bypassed chip-and-PIN yet we spent billions to adopt the compromised system? Or, has this particular problem already been addressed in the US EMV chip-and-signature environment as well? Are there other problems which haven’t been made public? -ed ]

11/17/2015  Merchants Unhappy … very

As some predicted, the terminals that use the EMV, chip enabled cards, are proving to be slower. The disruption is at a bad time for merchants, just as the holiday shopping season is beginning its windup.

There was always a question about whether EMV was more about consumer protection or shifting liability for losses from provider to merchant. “The real savings is not about fraud, the real savings is about interchange.” Last year, merchants paid about $61 billion in interchange fees compared with about $30 billion in fraud losses per David Robertson, publisher of The Nilson Report.

The current US implementation of EMV is chip-and-signature, sometimes without the signature. It validates the card, but not the person. Anyone could be holding that card. The more protective version is chip-and-pin where the person has to enter a personal identification number. The attorney general of Georgia (Sam Olens, a Republican) and Connecticut (George Jepson, a Democrat) wrote their counterparts to communicate with providers to adopt the more stringent measure. Entering a PIN slows merchant throughput, another expense for merchants. The letter has been revised and now includes eight other attorneys general. (Source: NYTimes)

[ Weaknesses in chip-and-pin have been documented since 2010 -ed ]

11/19/2015  UK believes PIN will be obsolete

Intelligent Environments surveyed 2,000 UK banking customers and 2/3 believe the PIN will soon be obsolete in just under five years.

The research indicates that banking customers may be losing faith in the PIN. As criminals continue to adopt new methods to commit fraud, people clearly don’t have confidence that the PIN is strong enough to protect what’s most important. In addition, many customers’ failure to observe basic PIN security measures demonstrates a dangerous ambivalence, which could be putting them at risk. Innovative alternatives to the PIN are not only possible, they’re preferable, since they not only make accounts more secure, but they enhance the banking experience for the customer. Whether or not Brits are right about the PIN being dead within five years, it’s clear that banks need to act now to change the current security landscape. [ Source:David Webber, Intelligent Environments managing director in a press release. highlighting ours. -ed ]

11/24/2015  MagSpoof

Little wireless device about the size of a quarter forces EMV terminals to revert to swiping, then spoofs the swipe itself with magnetic stripe information loaded by the user. See more of the story …

2/16/2016  US EMV 17% penetration

Fewer than one in five merchants are EMV-ready.

According to Visa CEO Scharf just 17% of physical transaction merchants are EMV capable. Why so few? Was the purpose of EMV to protect consumers or shift liability from providers to merchants? Merchants object to huge capital costs and decrease in throughput. Consumers are not happy with the checkout delay either. Based on experiences with the other 19 of the G20 countries all-EMV won’t be a reality for several years. More at Krebs On Security.

3/15/2016  Small Merchants go to court over EMV certification

EMV capable small merchants still can’t do EMV and it costs!

Two small merchants in Florida are seeking class-action status against the rising volume of charge backs and fees due to the EMV liability shift. The merchants converted by the deadline of 10/1/2015, but have not been certified by the providers. That is a process over which they have no control. The suit is an anti-trust complaint alleging a conspiracy to shift billions of dollars of fraud-related expenses back onto merchants without giving merchants “meaningful recourse.”

From October 1, 2015 to February 15, 2016 the two merchants have had to pay a total of $9,636.22 for 88 chargebacks. During the same period the previous year there were only 4. The suit also alleges “overchange” because the interchange fees are, in part, to cover fraud losses that they are now paying directly. See Gartner Group Blog and more at Bank Info Security.

8/05/2016  Chip & Pin bypassed

At the Black Hat security conference two researchers from NCR Corporation demonstrated how to capture data and bypass chip and pin protections. They used the Raspberry Pi computer to effect a passive man-in-the-middle compromise.
More at ThreatPost

 
The only way to protect consumer credentials from compromise while in the temporary custody of a merchant or other party is never to provide those credentials to them in the first place, yet provide for the merchant to be paid.

What Merchants don’t have,
Crooks can’t steal!

   

Return to References page

Links above were active at the time they were gathered. Links shown in non-hypertext (not clickable) are known to be no longer supported on their hosts.