Hackers are able to fool POS-terminals using stolen chip cards

The Cambridge University professor Ross Andersson and his team (Steven J. Murdoch, Saar Drimer, Ross, Mike Bond) released a research report recently, that will soon appear in IEEE Symposium on Security and Privacy. This time it’s the chip card itself and they discovered one issue that enables hackers to fool POS-terminals, using stolen chip cards….

To make this clear, this issue does NOT affect any of Todos Security Products, used for strong two-factor authentication.

If you continue reading, you will get an explanation in plain English of the research paper…

The issue is that the POS-terminal cannot verify their own decision, how the cardholder actually was authenticated, and that there is no way to communicate this intention (terminal decision) back to the issuer.

This issue can be exploited by intercepting the communication between the terminal and the chip. When the PIN is sent to the chip, the interceptor simply returns “OK”, which leaves the terminal to believe that PIN was verified OK, while the chip never received the PIN and thinks PIN was NOT requested (fallback to signature transaction). Therefore, after the transaction has been completed, the POS-terminal believes it was an offline PIN transaction, where PIN was correctly verified, while the chip believed it was a signature-only transaction.

When the issuer receives this transaction, there is no way for him to understand that the POS-terminal had in mind a PIN-transaction, as the only information the issuer receives is the result from the chip. Currently there is no (standardised) way for the POS-terminal to communicate this intent to the issuer, and this leads to a potential exploitation of this discovery.

Some conclusions:

  • The attack only works with a stolen card (SDA/DDA/CDA)
  • The attack works for both online and offline transactions
  • The attacks only works on POS-terminal (ATM’s are not affected)

There are several ways of fixing this, and I expect emvco to act swiftly on this, as they need to act, and have nothing to lose to disclose information, as the best mitigation technique is making sure the bank understands the implications of this issue.

What can be done to solve or mitigate this?

  • There are a number of things that you could tell your risk dept.; reducing the allowed spending limit for signature transactions; reduce the risk by requesting more online transaction for foreign cards, which in turns enable that issuer to check if it’s a stolen card; if supported, introduce and push out black-lists to offline POS-terminals, as stolen cards will have to travel, and takes a few days.
  • The more elaborate and quirky is to implement local knowledge on how to identify and verify the CVR’s of the cards in your country, as this will be the bulk of your cards, and transporting a stolen cards will take a few days, but it won’t help much if your terminal isn’t CDA terminal. This will only be an intermediary solution, as emvco for sure will come up with a framework and guidelines around this.

If there are any major updates, insights on this, I will update this post.

Advertisements

~ by petergullberg on February 16, 2010.

2 Responses to “Hackers are able to fool POS-terminals using stolen chip cards”

  1. I have some more elaborate and practical suggestions, but I don’t want to post it here, you probably understand why :). If you’re a bank, and involved in credit card/security, please leave me a note to peter@todos.se, and I’ll provide you with more information.

  2. Here is the official response from EMV Co.: (March 23)
    http://www.emvco.com/documents/EMVCo_response_to_Cambridge_Report.pdf

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: