More Bad News For EMV Security

Written by Evan Schuman
August 3rd, 2011

For years, EMV has been touted as a more secure payment card approach. But a presentation being made at this week’s Black Hat conference is the latest to say that the technology has fatal security flaws and, indeed, that its sophistication is its Achilles’ heel.

For the U.S. retailer, this news may further erode any movement toward Chip-and-PIN, an effort that had already effectively been stalled by retailer apathy. Despite a push last year by Wal-Mart, retailers have shown almost no interest in making the change. The move in the U.S. toward mobile payment, which is unlikely to be easily compatible with current-day EMV efforts, is the latest Chip-and-PIN roadblock.

This follows up earlier reports about thieves burning a hole in the back of an EMV card reader and a Cambridge University report that EMV was easy to fool.

The Black Hat presentation, made by engineers from Inverse Path and Aperture Labs, said EMV has not kept up with security in the years since it was introduced, giving the cyberthief community time to exploit its weaknesses.

“The chip interface is inherently accessible and not protected by tamper-proof sensors. It is therefore an extremely appealing target to fraudsters and it is nearly impossible for the cardholder [or merchant] to easily verify that the terminal has been tampered [with] and, for this reason, an EMV skimmer could go undetected for a very long time,” the group’s presentation said. “Is it possible for the backend to detect the CVM downgrade attack? The CVM List tampering results in flipping of the ‘SDA failed’ status bit presented by the terminal to the backend in the TVR (Terminal Verification Results). However, we do not feel it’s realistic for an issuer to block transactions/cards solely on this information as Offline Data Authentication can fail for several legitimate reasons.”

The group said there is a way around this flaw, but it has downsides. “A patch would require disabling plaintext PIN verification on POS and ATM firmware, preventing the downgrade attack in the first place. This, of course, would break compatibility with the EMV specification and prevent transactions with SDA cards on terminals that do not have online PIN verification capabilities.”

One problem with this is the cost of retailers having less financial exposure—courtesy of the card brands—in that the liability is increased on the consumer. That consumer might then be placed in the joyous position of having to prove a negative.

“The cardholder is assumed to be liable unless they can unquestionably prove they were not present for the transaction, did not authorize the transaction and did not inadvertently assist the transaction through PIN disclosure. PIN verification, with the help of EMV, increasingly becomes ‘proof’ of cardholder presence. It becomes impossible for the user to verify if the terminal has been tampered with, as the chip interface is not visible (unlike most mag stripe ones for POS terminals). An EMV skimmer could go undetected for a very long time and requires little installation effort.”

Andrea Barisani, the chief security engineer at Inverse Path, said the security that does exist is not effective. “The CVV matches the mag stripe only for cards that do not use iCVV, a different stored value to protect against this attack, introduced in January 2008 but not present on all cards,” he said. “It is fair to say that the possibility of massive harvesting and being protected by a 3-digit code is not a comforting scenario.”

In one EMV country—Canada—mobile payment is likely going to suffer the reverse impact of the U.S. In the U.S., EMV adoption has been all but halted while the community awaits mobile payment.

In Canada, payment officials there say, mobile payment adoption will likely be back-burnered as chains have just recently completed full EMV deployment and will be hesitant to make a near-term shift. As a practical matter, though, this will have little impact. By the time mobile payments are mature enough for wide-scale deployment—probably about three years away—the Canadian merchant community will likely be ready to make the move.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.