September 20, 2016
Security breaches are an all-too-common event in today’s society. Experts, therefore, try to stay one step ahead, working like hackers to find system flaws and new glitches in computer and information systems. BLACK HAT USA 2016 security conference, which took place July 30–August 4 in Las Vegas, provides a forum where security researchers assemble to discuss these critical topics in computer security—one of these key topics is payment systems and EMV.
Payment systems and EMV have been rumored to have flaws in its ecosystem. More often than not, experts say these issues are usually flawed implementations. For instance, if an issuer spends millions of dollars deploying EMV chip cards to the field but does not upgrade their backend host authorization systems to perform basic EMV validation (such as Cryptogram/ARQC validation, Application Transaction Counter/ATC checks, etc.), then simply investing in the card technology is moot.
Hackers have attempted to target out-of-date EMV implementations and then leak the often questionable results to the public, causing misconceptions about EMV security. For instance, Combined Data Authentication (CDA), which helps prevent man-in-the-middle (MITM) attacks, was introduced in EMV 4.0 back in 2000. However, issuers in some geographic areas continue to use Static Data Authentication (SDA) even today.
To further complicate the issue, other hacks target problems that EMV specifications were not intended to address. One specific example is that EMV aims to prevent counterfeit payments from being presented for “card present” transactions at the POS. It was never designed to target “card not present” (eCommerce) fraud, provide card data encryption, or address some of the other concerns that some use to attempt to discredit the effectiveness of EMV. In short, EMV should not be seen as a “silver bullet,” a solution that solves every problem in the world of payments. Other technologies address these deficiencies and will be addressed later in this post.
This is an important distinction to consider especially when considering the presentations at Black Hat this year. One paper presented claimed that hacks could introduce a MITM shimmer between the terminal and the cash register. In the absence of point-to-point encryption (P2PE) or strong authentication, they could: (a) steal card data relayed between the terminal and the cash register, (b) create a counterfeit magstripe card from the stolen data and use it across an offline terminal that allows merchant stand-in, and (c) manipulate PIN prompts.
As noted before, EMV does not provide card data encryption. However, with P2PE and hardware level encryption at the terminals (which prevent MITM attacks) becoming more ubiquitous, the need for card data encryption is eliminated in most cases.
Furthermore, it is possible to create a counterfeit magstripe card based on data extracted from the chip and use it at a merchant terminal that supports offline processing. In these cases, an unsuspecting merchant who is offline and does not want to lose a sale may take the risk of approving the transaction (commonly known as merchant stand-in risk). Merchants can adopt several risk mitigation strategies, the least of which is to perform a local BIN table look-up to see if the transaction was initiated by an EMV chip card, thus identifying the card as counterfeit.
After the revelation of these hacks at Black Hat, some of the media coverage unfairly targeted the efficacy of EMV, while others questioned whether the EMV migration was warranted at all. One news article said, “The technology known as EMV, which is supposed to provide consumers with an added layer of security, is beginning to see some wear.” Another article’s headlined read, “Researchers bypass EMV card protections.”
EMV is meant to do one thing: solve for counterfeit fraud. However, this does not preclude the need for merchants to protect their transaction environments through other mechanisms, ensure they are PCI compliant, and adopt appropriate risk-mitigation best practices to protect themselves from hackers. To close the security gap, UL highly recommends merchants and acquirers adopt P2PE to prevent MITM attacks at POS locations.