advertisement
advertisement

Chip-And-PIN Hack Is So Scary Because It Surprised No One

Written by Evan Schuman
February 18th, 2010
A February 2010 Cambridge University report that points out critical security flaws in chip-and-PIN (EMV) protocols—a security method that's ever-present in the U.K., being massively deployed in Canada and being pushed for use in the U.S.—is most surprising in how remarkably unsurprising it is. Retail IT execs specializing in security were especially concerned about the relative ease of the university hack execution.

Braden Black, a senior enterprise architect (and security specialist) for 305-store shoe chain DSW, said that, in his opinion, the biggest problem with chip-and-PIN—as it's currently deployed—is that banks have little incentive to make these systems secure because they no longer have any liability if they're repeatedly breached. That liability has been pushed to the retailers. "The ramifications of this attack are most disturbing when viewed in light of the fraud liability regulations that were adopted alongside the technology. Essentially, the banks offloaded fraud liability to merchants and cardholders."

This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.

Pages: 1 2 3

Posted in E-Commerce, In-Store, IT Strategy/Industry, Payment Systems, Premium Content, Security/Fraud, Software
advertisement

7 Comments | Read Chip-And-PIN Hack Is So Scary Because It Surprised No One

  1. bill bittner Says:
    February 18th, 2010 at 10:11 am

    This hack demonstrates a much larger vulnerability that goes way beyond payment authorization. As software design has moved to “object oriented” designs that encapsulate data and processes along with the whole concept of “stateless objects” the “man in the middle” or wedge attack becomes much easier. This could really happen in any situation. Just as we are hearing more about cyber attacks from overseas, we are using software design techniques that make our systems more vulnerable. Better get a kerosene lamp.

  2. R Dallaire Says:
    February 18th, 2010 at 12:08 pm

    I worked on EMV project in Canada. EMV is better than plain MSR card. No doubt. This is not marketing “gimmick”.

    The Cambridge/BBC video shows a guy using a Netbook PC and an EMV “test card” hooked on a stolen EMV card. Sure, you may hide all the cables

  3. R Dallaire Says:
    February 18th, 2010 at 12:15 pm

    Sure, you may hide all the cables but the setup will be obvious if you are wearing a T-Shirt. ;)

    EMV has to fix this. I don’t know if the same issue has been raised in Canada.

  4. A reader Says:
    February 18th, 2010 at 10:40 pm

    Mr. Bittner,

    How do you equate the failure of a developed-in-secret, 14-year-old cryptographic protocol with the adoption of object oriented programming, the recognition of design patterns, or the maturity of software engineering as a discipline? You are comparing oranges to a philosopher’s left elbow — the argument doesn’t even parse.

    There were no software failures here, no code crashes being exploited nor buffer overrun attacks smashing stacks. This was a failure in the design and creation of a *protocol* that fell prey to being spoofed. No objects failed, because no objects were transmitted. This is 100% protocol design failure; and it can be blamed on the secretive nature of the original design process and the immature cryptographic skills of the original protocol designers. (Here’s a hint for all you budding cryptographers: the best cryptographers know they aren’t good enough by themselves. They always seek outside validation of their designs. Always.)

    The chips inside the smart cards don’t even have the memory or the horsepower to support object oriented programming techniques. There aren’t dynamic memory allocations. These are tiny 8-bit chips with about 1K of RAM, and the applications hand coded in assembler (or possibly C.)

    I’m sorry if you are uncomfortable with modern design techniques, object oriented languages, test-driven development, design patterns, or if you think programming should still be functional now because it was functional back when you first learned it. If you are interested in that kind of bare-metal programming, might I suggest embedded systems design? It’s all about writing code for these tiny standalone processors, where every byte still matters and every cycle still counts. You even get style points for writing in assembler. :-)

  5. David Dorf Says:
    February 22nd, 2010 at 11:12 pm

    Long ago I used to write code for smart card terminals, including those that accepted EMV cards. Even with the imperfections, the chip-based systems are much more secure than mag-stripe. The fact that this particular hole went undiscovered for at least six years is actually pretty impressive. Although I don’t know the specifics, I’m willing to bet this particular issue can be resolved in the terminal code without having to reissue all the cards.

    This is a great example of the importance of ethical hacking. Hats off to the Cambridge team.

  6. Steve Sommers Says:
    February 23rd, 2010 at 12:50 pm

    Was it undiscovered? And are we sure there are variations already in the wild? There have been many customer complaints of fraudulent activity with EMV and most were simply swept under the carpet and attributed to a failure of the cardholder without much investigation. Recently the EU shifted some of the burden of proof back to the banks and this was done prior to this Cambridge report. If the system is so secure, why the shift?

  7. Howard Says:
    February 23rd, 2010 at 12:59 pm

    This hack has been available for over 8 years now. I doubt this should be a surprise to anyone.

Leave a Reply

Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk.com? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.

Weekly, Monthly Newsletters

Quickly catch-up on the latest in E-Commerce and Retail Tech with our free weekly report, with urgent bulletins as news merits—along with our monthlies on Mobile, Security, In-Store, E-Commerce and CRM.
advertisement

Most Recent Comments

"I have strong reservations about the 'individual' certification and posting of that information for merchants. Can you imagine the potential employee poaching that might occur? The implications when competitors can look up how many are certified with each of their competitors? " -Christine

Should Forensic Tools Be Sold To Anyone?

A reader
Computers with FireWire have long been known to be vulnerable, since it has DMA access. Password interception via FireWire is not a new trick. Making these tools commercially available should put more of them in the right hands, where the overall level of benefit to society goes up. Assuming it doesn't further enable a corrupt Police State, of course. Read more...

Yes, Virginia, We Really Do Need A QIR Program

Michael
We are a Fortune 500 retailer. Our leadership applauds this new program. It's a good thing. Read more...

Big Data Is Exactly What You Think It Isn't

Thad Peterson
I agree that it's going to completely change the way retailers deal with their customers (and their suppliers), but there's going to be a whole bunch o' garbage out there before people really understand. Read more...

MasterCard Aims To Take Mobile Wallet Rivals Apart

Adrian Lane
Could you please validate the use of tokenization in the wallet's payment scheme? I'm looking at the wallet API and there is no mention of tokenization, only OAUTH identity tokens. Read more...

P2PE: No Cakewalk for Merchants, But There May Be No Alternative For Reducing Scope

Jaime
Walt, what are your thoughts on the applicability of P2PE to merchants who process using a mobile phone application with a swiper? I've asked a few QSA's this question and feeling seems to vary on whether a compliant POI device connected through the phone to a compliant gateway, etc. would allow the merchant to qualify. The crux of the conflict seems to be whether the phone remains in scope as part of the processing environment, or if it can be considered removed because the data is encrypted while being passed to the gateway through an app or the browser. Read more...
Andrew Jamieson
If the swipe device is PCI PTS certified, AND also compliant tot the SRED requirements of that standard, then it should be possible for the phone to be out of scope. This is basically the crux of the new PCI guidance on mobile payment acceptance, and the whole point of the SRED module (ie to help secure data through encryption to assist with scope reduction). Read more...

Considering An Operations Person For An Open IT Position? Don't Do It

Chris
I have an ops mentality but have worked directly or indirectly in IT for over 30 years. I think, naturally, young people and/or go-getter personality types are, by nature, "operations" types. However, as responsibility, experience, and maturity increases, people who may even be naturally "ops-oriented" can and should make the transition to an "IT" mentality like that you describe above. My boss is, by background, an "operations" person who never had a strong technical background or interest. Very smart, and capable when focused, but not that turned on by learning the intricacies of "how stuff works." In other words, despite over 20 years in the "IT" industry, still fixing tractors in the field. Read more...
Todd Michaud
I think that the more that both sides understand where the other is coming from, the better off everyone will be. I find that taking the time to ask someone "why" (is something being done that way, is that decision made, is this project important) can at least provide a good starting point. Read more...

Walmart's Online Cash Creates New Fraud Problem

ed
Wal-Mart pay-with-cash for online orders is a big benefit for resellers and suppliers versus reselling their products through eBay or Amazon.com. A startup supplier or product manufacturer no longer need to meet Wal-Mart strict specifications and minimum order requirement to stock products for sale in-store. They can now market throught Wal-Mart.com to a bigger crowd that can also pay with cash and use Wal-Mart expansive logistic system to deliver just-in-time. Read more...

"Careless" Systems Integrators Now Directly Under PCI DSS

Kat Valentine
This exact issue has been bothering me for years, and I was JUST talking about it with someone only yesterday. This may well be my favorite article, mostly because I'm biased and have hated this particular problem forever. Read more...
Nathan
Good article, but how does this have anything to do with the DSS? Read more...
Walt Conway
Actually, the QIR program has a lot to do with the DSS (or PCI). Since merchants rely on their reseller or integrator to implement their PA-DSS validated application, these resellers and system integrators play a critical role in merchants achieving and maintaining PCI compliance. As far as I can tell, the QIR program is designed to help merchants stay compliant by making sure their payment applications are installed according to the PA-DSS Implementation Guide, for example ensuring default passwords are changed (and protected), that the data encryption keys are properly set and secured, that the merchant's data retention policy is set, that no sensitive cardholder data are stored, and often that a firewall is in place and properly configured. Read more...
StorefrontBacktalk
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.