VISA / EMV tech under fire
Posted 6 months, 3 weeks ago at 12:23 pm. 0 comments
It’s been a bad week for the EMV boys club with a massive attack demonstrated against chip ‘n pin pin validation, plus a scathing whitepaper pointing out how badly architected VISAs new generation 3D Secure authentication mechanism is.
For the chip ‘n pin attack see here, and for the security analysis on 3D Secure see here.
The chip ‘n pin attack is really simple, and is born out of a huge mistake in the protocol design for the EMV pin validation routine. Basically, the terminal is happy to simply trust the card when it returns a “pin valid” or “pin invalid” response, rather than something more substantial such as “please sign this challenge with your pin validation key” so that the terminal (and subsequently the issuing bank) can be 100% assured that the pin was validated by the correct card. The attack simply performs a man-in-the-middle and returns a “pin valid” on behalf of the card, i.e. the card never is asked to validate the pin, but gladly authorizes any subsequent transaction. The terminal simply believes the pin is validated, asks the card to authorize the transaction, and then informs the bank that both went ok (pin + transaction). EMVCo’s official response concludes with:
“while such an attack might be theoretically possible, it would be extremely difficult and expensive to carry out succesfully”.
However, this article on StorefrontBacktalk mentions:
“That argument was effectively obliterated with a wonderful piece of video journalism done by the BBC. It filmed one of the Cambridge researchers actually using this attack—successfully—at a wide range of retail locations leveraging borrowed cards of BBC staffers. Seeing the attack in action makes two things clear: It’s not theoretical, and it’s even practical. The movements of the pretend cyberthief were natural and not at all suspicious.”
EMVCo is clearly delusional.
The 3D Secure analysis is a good read too, and is a great example of a very badly designed web authentication system. Basically 3D Secure / SecureCode breaks all the rules, leaving the user in a position where his security cannot be guaranteed. Awesome tricks such as iframing the credential entering page so that SSL padlocks etc are ineffective, plus the fact that transaction data is passed to all parties really gives me the impression that the architecture was never properly security reviewed. This coupled with the fact that 3D Secure (and chip ‘n pin infact) push more and more liability onto the cardholder. Of course this is a question of economics - if the mere existence of this technology means that VISA washes their hands of fraud, why would they bother making it secure. The liability and incentive to secure should be in the same place.
Your thoughts?