Thinking About Security ROI From The Thief’s Perspective

Written by Evan Schuman
June 24th, 2010

Retail IT execs have always been very good at making risk-based security budget decisions. They know how to calculate the probability of a certain attack method being used against them, its chances for success and the likely cost to the chain if it succeeds. And they know how to use that information as a way to negotiate with the CFO’s people to justify security investments. Security return-on-investment (ROI) arguments are old hat when dealing with black hats and bean counters.

But what about looking at the security ROI challenge from the cyberthief’s perspective? That means examining the techniques and seeing which delivers the best value for the profit-oriented criminal. A good example of this approach is differential power analysis (DPA) and Chip-and-PIN payment cards.

DPA, which essentially examines microprocessor power level changes and tries to figure out authorization codes from the subtle power changes, has been found to be effective against Chip-and-PIN cards, especially older ones. But the cost—in terms of equipment, time and specialized skill—to capture one card’s data is too high to make it profitable, given that most profitable card data theft operations need to steal more than a million cards.

In other words, it’s not necessarily enough to determine whether you’re at risk of a successful attack. You also need to project whether it’s profitable enough for a professional thief to bother with.

One cryptographer, who works for a major retailer’s security operation, summarized his view of the challenge (anonymously, of course).

“DPA is a known attack vector, and researchers have demonstrated its validity in the lab. That means a well-funded criminal group could duplicate the attack. But today DPA works on one chip at a time, and it requires laboratory equipment and a very skilled researcher a long time to successfully recover a key. It’s not an attack that can be done with a skimmer in the back of a restaurant,” the retail security cryptographer said. “So the problem is, what value can be derived from an attack on a specific card? What secret keys can be recovered? If it’s just the account holder’s private key at risk, the criminals won’t be able to afford an attack. If you stole my wallet, I’ll report the theft long before you could recover my key. Even if you automated the attack and analysis, and shrunk the gear to a single laptop, it still takes many thousands of iterations to recover the data, and those iterations take time. It’s not an instant-break method.”

In short, why would a self-respecting cyberthief bother? “Today, I see much more practical attacks on the EMV protocols than on the chips. The offline reader spoofing and man-in-the-middle attacks are already demonstrated attacks on the current EMV systems. Fraudulent readers or spy cameras could still skim PINs in the anticipation of stealing the physical cards,” said the cryptographer. “Malware could infect POS terminals to redirect payments to criminal third parties. And there’s still the loophole of legacy mag-stripes on current smartcards being exploited in non-smartcard locations.”

Ahhh, but security ROI matters are rarely so black and white. Benjamin Jun, VP of technology at Cryptography Research, argues that the DPA target has morphed, making the ROI equation much more complex.

In a recent change, almost all Chip-and-PIN cards today (Jun estimates it at “more than 95 percent”) have built-in countermeasures to make the thief’s ROI even more challenging, truly making the card attacks quite useless and impractical. But it’s an entirely different story for the card terminal, where countermeasures are very scarce, and Jun couldn’t (wouldn’t?) name a single terminal vendor whose systems are protected against DPA attacks.

Jun sees the terminal as a much more dangerous entry point than the card, and for two distinct reasons. First, access to the terminal will discover many cards in a day, although not nearly the numbers that a cyberthief ring would need. But the second reason addresses that issue: terminal access is an excellent way to access the backend database on the central servers. And that, as cyberthief ringleader Albert Gonzalez knows well, is the Holy Grail of card data.

“DPA is effective because you’re eavesdropping silicon as it actually works,” Jun said, adding that terminal access can allow the thief “to masquerade as the terminal and then eavesdrop on communication with the server, which could be used as an infiltration point. Then you can vacuum clean card information as it’s communicated to the server.”

Getting the access to the power levels is often not difficult; finding and opening a shopping mall’s phone closet can be straightforward, especially if the thieves bother renting the proper uniforms.

How many retailers are even demanding terminals be protected against DPA attacks, let alone feature adequate countermeasures? Until terminal vendors start routinely seeing such demands on retail requests for proposals (RFPs), this problem will likely only be addressed after some major breaches. Thus far, none have been reported.

Is it better to wait for those breaches or start modifying your standard terminal RFPs?


3 Comments | Read Thinking About Security ROI From The Thief’s Perspective

  1. A Reader Says:

    Actually, all PCI-PED certified payment terminals are strongly protected against attacks, including DPA.

  2. Retail CSO Says:

    The quote from the “retail security cryptographer” sounds just like what people were saying about skimming a few years ago (i.e., it’s one card at a time and requires sophisticated knowledge about magnetic fields).

    I was at a hacker conference, where I saw a demo of power analysis with really cheap hardware done by hobbyists — and the key recovery was basically instantaneous too. I’m sure it takes some knowledge to figure out the first attack on a given device, but the attack I watched was just about instantaneous.

    Some of the testing labs charge a lot for DPA testing, so they have a vested interest in making DPA look difficult… but if the chain-smoking hacker kids can do it, I’m sure the guys who are doing skimming today could too if they tried.

    I’m also interested in the reader comment that “all PCI-PED certified terminals are strongly protected against attacks, including DPA”. I don’t know how well they are protected against DPA, but the I’ve seen some pretty scary vulnerabilities in PCI-certified terminals. The smart card guys do seem to have their act together pretty well on the security front nowadays, but terminal makers have a history of cutting corners and I don’t ever recall seeing PED vendors advertising DPA protection.

  3. A Reader Says:

    Read the POS PED requirements, specifically A6 and A7. “To determine any PIN-security-related cryptographic key resident in the PED or ICC reader, by penetration of the PED or ICC reader and/or by monitoring emanations from the PED or ICC reader (including power fluctuations), requires an attack potential of at least 35 for identification and initial exploitation as defined in Appendix B of the PCI POS PED DTRs.”

    It’s a pretty clear requirement that a compliant pad should not leak energy traces. But to your point, it’s probably treated like anything else PCI related. Certify everything, and if there’s a leak, claim it was out of compliance.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.