Report: Power Attacks On Credit Cards Still A Major Threat
Written by Evan SchumanIt’s hardly a new payment card security threat, but what has become known as differential power analysis (DPA) is still very much a threat on most payment smart cards, according to a report in this week’s Nilson Report, a well-respected newsletter covering payment issues.
A DPA attack, as described in the report, takes advantage of the electrical impulses inherent in any smart card.
"The silicon chips embedded in smart cards consume power whenever they process payment data and it is possible for criminals to measure these power fluctuations surreptitiously and then analyze them to decode the secret keys that secure the data," the report said.
The report also made its argument for the risks if such card capabilities are not restricted.
"Without safeguards, it would be theoretically possible for criminals to use DPA to build what are known as ‘evergreen’ payment cards — cards with counterfeit chips that are able to access an unlimited amount of funds, either because their amounts are never decremented or because they confirm the existence of amounts that aren’t there or because they reload fraudulent balances," the report said.
"DPA could also be used to impersonate or duplicate cards. Because this type of attack does not leave behind evidence that it has occurred, it is unclear how often DPA has been used to actually commit fraud. However, equipment used for DPA attacks has turned up in raids on fraud rings, and successful DPA attacks are regularly demonstrated by researchers and engineers."
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
