Is Your Chip Card Secure? Much Depends on Where You Bank (krebsonsecurity.com) 38
A recent series of malware attacks on U.S.-based merchants suggest thieves are exploiting weaknesses in how certain financial institutions have implemented the technology in chip-based credit and debit cards to sidestep key security features and effectively create usable, counterfeit cards. Brian Krebs reports via Krebs on Security: Traditional payment cards encode cardholder account data in plain text on a magnetic stripe, which can be read and recorded by skimming devices or malicious software surreptitiously installed in payment terminals. That data can then be encoded onto anything else with a magnetic stripe and used to place fraudulent transactions. Newer, chip-based cards employ a technology known as EMV that encrypts the account data stored in the chip. The technology causes a unique encryption key -- referred to as a token or "cryptogram" -- to be generated each time the chip card interacts with a chip-capable payment terminal.
Virtually all chip-based cards still have much of the same data that's stored in the chip encoded on a magnetic stripe on the back of the card. This is largely for reasons of backward compatibility since many merchants -- particularly those in the United States -- still have not fully implemented chip card readers. This dual functionality also allows cardholders to swipe the stripe if for some reason the card's chip or a merchant's EMV-enabled terminal has malfunctioned. But there are important differences between the cardholder data stored on EMV chips versus magnetic stripes. One of those is a component in the chip known as an integrated circuit card verification value or "iCVV" for short -- also known as a "dynamic CVV." The iCVV differs from the card verification value (CVV) stored on the physical magnetic stripe, and protects against the copying of magnetic-stripe data from the chip and the use of that data to create counterfeit magnetic stripe cards. Both the iCVV and CVV values are unrelated to the three-digit security code that is visibly printed on the back of a card, which is used mainly for e-commerce transactions or for card verification over the phone. The appeal of the EMV approach is that even if a skimmer or malware manages to intercept the transaction information when a chip card is dipped, the data is only valid for that one transaction and should not allow thieves to conduct fraudulent payments with it going forward.
However, for EMV's security protections to work, the back-end systems deployed by card-issuing financial institutions are supposed to check that when a chip card is dipped into a chip reader, only the iCVV is presented; and conversely, that only the CVV is presented when the card is swiped. If somehow these do not align for a given transaction type, the financial institution is supposed to decline the transaction. More recently, researchers at Cyber R&D Labs published a paper detailing how they tested 11 chip card implementations from 10 different banks in Europe and the U.S. The researchers found they could harvest data from four of them and create cloned magnetic stripe cards that were successfully used to place transactions. There are now strong indications the same method detailed by Cyber R&D Labs is being used by point-of-sale (POS) malware to capture EMV transaction data that can then be resold and used to fabricate magnetic stripe copies of chip-based cards.
Virtually all chip-based cards still have much of the same data that's stored in the chip encoded on a magnetic stripe on the back of the card. This is largely for reasons of backward compatibility since many merchants -- particularly those in the United States -- still have not fully implemented chip card readers. This dual functionality also allows cardholders to swipe the stripe if for some reason the card's chip or a merchant's EMV-enabled terminal has malfunctioned. But there are important differences between the cardholder data stored on EMV chips versus magnetic stripes. One of those is a component in the chip known as an integrated circuit card verification value or "iCVV" for short -- also known as a "dynamic CVV." The iCVV differs from the card verification value (CVV) stored on the physical magnetic stripe, and protects against the copying of magnetic-stripe data from the chip and the use of that data to create counterfeit magnetic stripe cards. Both the iCVV and CVV values are unrelated to the three-digit security code that is visibly printed on the back of a card, which is used mainly for e-commerce transactions or for card verification over the phone. The appeal of the EMV approach is that even if a skimmer or malware manages to intercept the transaction information when a chip card is dipped, the data is only valid for that one transaction and should not allow thieves to conduct fraudulent payments with it going forward.
However, for EMV's security protections to work, the back-end systems deployed by card-issuing financial institutions are supposed to check that when a chip card is dipped into a chip reader, only the iCVV is presented; and conversely, that only the CVV is presented when the card is swiped. If somehow these do not align for a given transaction type, the financial institution is supposed to decline the transaction. More recently, researchers at Cyber R&D Labs published a paper detailing how they tested 11 chip card implementations from 10 different banks in Europe and the U.S. The researchers found they could harvest data from four of them and create cloned magnetic stripe cards that were successfully used to place transactions. There are now strong indications the same method detailed by Cyber R&D Labs is being used by point-of-sale (POS) malware to capture EMV transaction data that can then be resold and used to fabricate magnetic stripe copies of chip-based cards.
Sounds like you should just wipe the magnetic info (Score:3)
And only use chip and pin machines.
Re: (Score:2)
You must be international. In the US, we use chip-and-camera instead of the pin.
Re: Sounds like you should just wipe the magnetic (Score:2)
Re: (Score:3)
Re: (Score:2)
LOL!
Well, I live in the US and I've never seen that even once. I guess I shop at different stores.
Re:Sounds like you should just wipe the magnetic i (Score:5, Informative)
Yea, those cameras make the consumer feel like the criminal. They even put your mug up on the screen as you checkout so you know you are being watched. If they really want to catch criminals the camera should be on the banks and credit card companies.
Because the general assumption in retail today is everyone is there to steal, and the level of stock "shrinkage" (retail term for theft) supports that assumption. Video recording is part of the response to the problem.
Best to assume there are cameras watching everywhere in retail businesses, including at the till. Most retailers, big and small, (at least in here in Canada) have cameras over each and every till, and each transaction is recorded. Reasoning: reduces employee theft (harder to steal from the till when big brother is watching), reduces after the fact transaction disputes (ie: I got home and found your teller gave me change for a 10. I handed her a 20. This happens way too often) and provides a record to hand to the police in case of robbery or fraud.
Maybe good to know: businesses recover the cost of retail theft by passing it on to their honest customers. It's built into the sticker price. Out of every dollar you spend at a retailer, shrinkage costs run between 3 and 8 cents (some are higher!).
Re:Sounds like you should just wipe the magnetic i (Score:4, Informative)
I think you misread even the summary. They read the necessary data of the chip.
There also exist chip-and-pin skimmers, the operation is slightly different but the design is from the 90s, the protections are trivially easy to crack. Here is an article from 6 years ago: https://krebsonsecurity.com/ta... [krebsonsecurity.com]
Trivial to defeat (Score:2)
They came out in the UK years ago, and were promptly broken. A good starting point for the facts is https://www.lightbluetouchpape... [lightbluetouchpaper.org]
That's Ross Anderson's lab at Cambridge, in case it sounded familiar (;-))
Slow progress (Score:2)
Most chip based cards now no longer have raised numbers, and hide the number on the back side of the card. Most stores now use consumer-operated terminals, so they no longer hand the card to the cashier and the cashier never sees the number.
Getting into chip-only mode requires a few million cards to be replaced, but they're working on it!
Re:Slow progress (Score:5, Insightful)
Re:Slow progress (Score:4, Insightful)
Consumer cuts up card and opens new account at Bank that provides the service they want.
Re: (Score:2)
We have had C&P in Europe for over 10 years, there are no disadvantages.
Re: (Score:2)
On the other hand, there are many people who will not want a card that doesn't also have a mag stripe. They want the card to actually work everywhere.
They might be more anxious to update if not for the years of marketing telling them the old card was perfectly safe.
Re:Slow progress (Score:5, Interesting)
Going all chip-only is not about replacing cards, they could have done that three times over by now. The problem is getting all the retail card readers replaced. Can't lose that stripe until that is done. I bet the banks haved pushed the expense of replacement onto the store owners, so this will take a loooong time.
That's not the problem. I'm an EMV dev, doing both chip and terminal development (with occasional development in switching).
The problem is that with the mag-stripe all fraudulent transactions are paid for by some combination of merchant, issuer and bank. The cardholder is not liable, and the burden is on the issuer to prove that the cardholder is liable.
With chip+pin all liability falls onto the cardholder, regardless of whether the chip was used or not, and whether a pin was entered or not, and the burden is on the cardholder to prove that they didn't do the fraudulent transaction.
So, yeah, merchants have an incentive to move to chip+pin, banks have an incentive to move to chip+pin and issuers have an incentive to move to chip+pin, because it means that the cardholder will be left holding the bag if something goes wrong.
Most of the world (Europe, Australia, Asia, ME and Africa) the consumers are apparently happy with being liable by default. For some reason consumers in the US don't want to allow the merchant+banks+issuers to shift the liability to the consumer.
Re: (Score:2)
With chip+pin all liability falls onto the cardholder, regardless of whether the chip was used or not, and whether a pin was entered or not, and the burden is on the cardholder to prove that they didn't do the fraudulent transaction.
Most of the world (Europe, Australia, Asia, ME and Africa) the consumers are apparently happy with being liable by default. For some reason consumers in the US don't want to allow the merchant+banks+issuers to shift the liability to the consumer.
I'd say that is not correct, chip+pin has not changed the liability. But, being a European we perhaps have more sane laws. Or slightly less scumbag banks.
For a while almost all have changed to chip+pin, but prior it was mag-stripe+pin. This is still available as backup, since nearly all terminals have both. Does not change anything with regards to liability tho.
In any case, most places here now also support RFID tapping. With pin mandatory for purchases over something like $20, in addition to every X pu
Re: (Score:2)
With chip+pin all liability falls onto the cardholder, regardless of whether the chip was used or not, and whether a pin was entered or not, and the burden is on the cardholder to prove that they didn't do the fraudulent transaction.
Most of the world (Europe, Australia, Asia, ME and Africa) the consumers are apparently happy with being liable by default. For some reason consumers in the US don't want to allow the merchant+banks+issuers to shift the liability to the consumer.
I'd say that is not correct, chip+pin has not changed the liability.
*shrug* All I know is what the various EMV rules say. Maybe your local laws trump them. In the countries we are shipping to (mostly western) the local laws don't trump the liability because the liability is accepted with all the other terms of use that customers sign. The EMV certification process is separate from the rules, and different places (most of northern Africa, for example) don't even use EMV chip cards, so it's perfectly possible that liability remains with the merchant/issuer/bank **even while*
Re: (Score:2)
That's definitely not true in Australia. The customer is not liable for any fraudulent credit card transactions provided they make reasonable efforts to secure their card and report lost/stolen cards as soon as they're aware of it. The issuers provide insurance against fraudul
Re: (Score:2)
That used to be the case in Great Britain, but it was eventually overturned. It's not the case in Canada, although I heard rumors it was proposed by the banks that the customer be on the hook if someone impersonated them.
In the US, it might vary from state to state: anyone know?
Re: (Score:2)
Going all chip-only is not about replacing cards, they could have done that three times over by now. The problem is getting all the retail card readers replaced. Can't lose that stripe until that is done. I bet the banks haved pushed the expense of replacement onto the store owners, so this will take a loooong time.
It is true that the mag-stripe is all about backward compatibility. And that it represents a security vulnerability. But here in Europe there was a big push to get retailers to move to chip-only point of sale devices. These days even my local convenience store and coffee shop have chip-only terminals.
Re: Slow progress (Score:2)
Not to mention the support concerns. I have to mag swipe my card twice a week because the chip reader can't read my card.
Either they need to fix this design flaw or they need to start sending out cards every 6 months. Otherwise, better to stick with mag strip support.
Re: (Score:3)
Most chip based cards now no longer have raised numbers, and hide the number on the back side of the card. Most stores now use consumer-operated terminals, so they no longer hand the card to the cashier and the cashier never sees the number.
I assume this is the US? The cashier futzes with the card? How does that work? Apologies if that's a dumb question, I'm used to sticking my card into a reader and entering the PIN, or waving it near the reader for low-value transactions.
Re:Slow progress (Score:5, Informative)
There's some history here. Back in the day, most merchants didn't have online credit card transaction processing. They had a (mechanical) machine with raised guides for lining up the card that they put the card into with a "carbonless carbon" slip on top, and run a rubber pressure roller across to make an imprint of the raised name, card number and expiry date. Then they'd hand the slip to you to sign, tear off the topmost copy, and keep the other copy to file with the bank. (Were there two other copies? Maybe there were - one for the customer, one that the merchant keeps, and one files with the bank. You'd always keep all your receipts and make sure they lined up with your statement at the end of the month, and I guess the merchants did the same.)
So you were used to handing the cashier your credit card for them to fuss around with the machine. The transaction processors started rolling out electronic terminals, which partially automated the process. You still handed your card to the cashier, but they entered the purchase price into the electronic terminal and swiped the card. The terminal would connect to the network, check that the card wasn't cancelled an that the purchase price could be authorised, and then print two copies of the receipt. You signed one copy that the merchant kept, and you kept the second copy. The transaction would be automatically sent to the merchant's bank, with no need to carry around carbonless carbon slips. The terminals started to supported electronic POS system integration, allowing the cashier to skip entering the purchase price manually.
When swipe and PIN systems started to get rolled out (e.g. EFTPOS in Australia and EPS in Hong Kong), the systems needed a customer-facing keypad. In many cases, the cashier would still enter the purchase price and swipe the card for you, but you'd confirm the price and enter your PIN on a customer-facing display and keypad. For some systems, this was the same keypad the cashier used, connected to a flexible keypad so they could hand it to you.
These systems still weren't wireless, so you'd need to walk to the cash register to pay with a PIN. You couldn't usually pay at your table at a restaurant if your card required a PIN. With a credit card, you could still give the waiter your card, let them enter the transaction into the terminal, then they'd bring your card back along with the receipt for you to sign.
When chip and PIN systems arrived, the payment networks started to mandate that the customer should be able to do all the steps involving the card. This meant that a user-facing card reader, display and keypad were required features for all terminals, and the customer needed to be at the terminal to complete a transaction. This drove a shift towards wireless terminals in restaurants, allowing customers to pay at their table with PIN cards. If the terminal isn't integrated with the POS system, the cashier will still enter the price manually before handing the terminal to the customer to insert their card and enter their PIN if required.
The US has been slow to adopt PIN cards. There's resistance from customers who don't want to remember a PIN or don't want to fuss around with the payment terminal - they're happy just handing their card to the cashier. More importantly, there's resistance from merchants because liability for fraudulent transactions is shifted from the banks to the merchants. The shift to having the customer perform all steps involving the card hasn't completed in the US.
Re: (Score:2)
CitiBank? (Score:2)
Ah, the weekly KrebsOnSecurity plug (Score:2)
Yes (Score:2)
Yes.
We can.
Re: (Score:2)
Yet chip and pin is a thousand times more secure than using the same visibly printed string of numbers as both username and password, or a trivially copied magnetic strip. It used to be extremely common where I lived for merchants (almost always gas station employees) to copy credit card details and clone your card, a quick swipe though a handheld copier and they can produce any number of clones.
Re: (Score:1)
It is secure, for the low-end criminal. Even then, they could still copy the relevant numbers to do a card-not-present transaction. The higher end criminals have figured out how to break EMV as well as chip and pin transactions.
The problem with chip-and-pin in Europe and to some extent with EMV in the US is that if you get scammed, you are presumed to have actually done the transaction and you (the consumer) will have to eat the cost instead of the bank, hence why banks WANT you to use EMV, as it shifts the
Re: Is Your Chip Card Secure? (Score:2)
Who cares? As a consumer it's not my problem. It's the bank's.
Chip-and-pin does zilch to protect the American consumer.
Re: (Score:1)
With Chip and Pin it BECOMES the consumer's problem. Consumer groups in Europe have had to resort to hiring private security investigators to prove to the banks their customers weren't chipping in from Brazil.
Ugh, this is why not to read TFS (Score:2)
Well, I read it and the spoiler is that if your card is issued from a small or unknown bank, it has less security than the ones issued by regular banks.
Fix chip readers (Score:2)
I have to constantly swipe the mag strip because chip readers suck and can't read a card after a year or two of usage.
Banks knew... (Score:2)
First principles: Prior knowledge based on use statistics from France on chip card security objectively proved that they were no more secure than magnetic strip. What did change is chips obsolete mag readers providing security through obscurity for a time.
Banks took the numbers and ran with chip cards knowing their faults would cost them or their customers.
The card is not yours - it's the bank's (Score:1)