I have been consulting with Financial Institutions worldwide on the implementation of EMV for 10 years now. My compliments to the team at the University of Cambridge Computer Laboratory for continuing to research potential weaknesses in the payment system. This is how to make a system better: peer review!
The proposed attack scenario is actually not new; I wrote about it 9 years ago. The attack seems to point to a weakness in the implementation choices made. Fortunately, there are very simple counter measures that are available to protect cardholders and all participants in the payment ecosystem from this type of attack. There are weaknesses in the system, but there are ways of protecting against them. Send me an email at rbastien@millenium3-ecommerce.com for more information.
What really shocked me was the paper presented by Christopher Tarnovsky at Black Hat on February 2nd, 2010. Once again, the attack scenario is not new. I have known of electron microscope probing and defeating overlays for 19 years now. The novelty of the attack seems to be in how to trick the CPU is disclosing information. This warrants intensive peer review.
Bottom line: all systems are vulnerable. It is not viable to design systems that are foolproof. Someone will always find a way in. We need to focus on building a sturdy enough system so that criminals will go to a weaker target. This is what we have with EMV. The weaker target is the magnetic stripe and the USA’s reluctance to strengthen this token.
I have been asked repeatedly over the years if the USA would eventually move to the EMV standard. I wish I had a crystal ball when that happens, but I do not (it would be fun, as a consultant, to offer the crystal ball service to clients, at a premium of course . I have said repeatedly that EMV is likely to happen in the USA, but not soon, probably not the way it has been done up to now, and probably through contactless. And this is exactly what the Smart Card Alliance has concluded as well (see http://www.smartcardalliance.org/articles/2009/09/14/smart-card-alliance-says-end-to-end-encryption-is-not-enough-recommends-chip-and-dynamic-data-to-halt-card-fraud for the press release).
Why would EMV be required in the USA?
Fraud mitigation and risk reduction are the real answer. Many payment executives in the USA believe that there is no real fraud issue currently because fraud, as a % of transaction value, is not increasing. The problem is that, in absolute numbers, fraud is increasing. That problem will be compounded in time with fraud migrating from EMV countries to the USA. So American issuers and acquirers are likely to import much more fraud, my guess is within 3 to 5 years.
Risk reduction is another issue that is partly linked to fraud mitigation. Credit card debt in the USA is US$10,000 per household. Americans are quite adept at rolling debt into new accounts, keeping payments at a manageable level. But this is a huge industry issue. A lot of that debt is of sub-prime quality. There is a huge default risk as we have seen in the last year.
The combined effect is likely to be a prudent risk management strategy that, hopefully, will lead to a required technology update. The Smart Card Alliance’s position paper is a step in the right direction.
Dark Reading has an interesting article on the release by the PCI Council of a best practices guide to assist merchants in the prevention of card skimming (see http://www.darkreading.com/security/government/showArticle.jhtml?articleID=219401468&cid=nl_DR_DAILY_H). I really like Chris Paget’s take on the weaknesses of the proposal by PCI, i.e. the proposal does not address malicious intent, and does not address risk during manufacturing of POS devices.
My 2 cents’ worth on this important issue. First, the EMV specifications partly address the risk factors during manufacturing and distribution of POS devices. This is done through device and application certification. The application code should normally be signed and the signature validated at boot-up. This is not perfect though, as it leads to attack scenarios that can easily work around this control. But it is a start!
More importantly, one of the key weaknesses of EMV (and I have been saying so for 10 years now) is that the card and terminal do not mutually authenticate at the beginning of a transaction. This is a fundamental weakness. It would have required secure key storage in POS terminals, something the authors of the original specs did not have the stomach to impose.
In the end, I fear this weakness will come back and haunt the industry. As per Chris Paget’s suggestion, a Trusted Platform Module would help (see http://www.trustedcomputinggroup.org/) and there a lot of solid work has been done in this group and is readily usable in POS devices.
Bottom line: we cannot go back to bartering! We have to continue using plastic (physical or virtual) to pay for goods and services. It is quick, convenient, economical for all parties involved. But we need to keep the bad guys out or users will lose confidence in the system.
Fact: Heartland had successfully passed the PCI audit requirements, yet was hacked. And if it was the only case… but it was not.
Do not get me wrong. The PCI standards are definitely a step in the right direction. The industry, and by that I mean card issuers, transaction acquirers, merchants need to smarten up. Card payment is a necessity in this day and age. It is convenient for all parties involved in a payment transaction. Do you think we could revert back to bartering (how many goats again for this flat screen TV?)? How about walking around with $2,000 cash in $20 bills to pay for this TV? Or should we go back to cheques (who would assume the risk, what are the costs)? The industry needs to embrace the necessity to protect cardholder data, otherwise cardholders will lose faith in the system. Or worse, politicians will regulate the system. Bruce Schneier has been saying for years that the best way of getting rid of poor security is to sue the culprits for software liability; see http://www.schneier.com/blog/archives/2007/08/house_of_lords_1.html for an example. Why not extend this reasoning to the payment industry?
But PCI is only a part of the solution. And Heartland is a prime example of this point. All stakeholders in the payment system must take a holistic approach to the protection of sensitive data. PCI compliance needs to be a part of the security posture of all stakeholders, not just going through an audit and having all of the check marks in the proper columns. The security posture itself must be designed from the start to protect data. Stakeholders are entrusted with information they do not, or should not, own. Stakeholders, as part of their fiduciary obligations, should do the utmost to protect this information.
There are solutions out there that take a holistic approach to the protection of data. Contact me if you need information; I will try and help as much as I can.
CTST 2009 PresentationIt never ceases to amaze me that people in the payment industry seem to have a limited understanding of how a retail checkout works in the real world. Payment is only a part of the global transaction, and payment is certainly not streamlined to be easily integrated into a checkout process. I gave a presentation at CTST 2009 on the business case for EMV, in the perspective of the issuer, the acquirer and the retailer. Comments are more than welcome!!!
Here is a copy of the presentation I gave on June 25th at Cardware 2007 in Toronto (in the pages, right-hand side). I had a great time preparing it and it was well received by the retailers present at the conference.
Do not hesitate to post comments if you have anything to add!
I am just back from Cardware Ottawa, the symposium held today by Act Canada. This year’s event focused on Identity Management and Credentialing. It was an interesting day all in all, with good speakers and interesting topics.
It was interesting to note that some of the discussions centered on a National ID Cards. I am adding the text of an article that was prepared for Card Technology in November 2003 on that topic. It is interesting to see that the contents of the article is still of actuality, i.e. that the Members of Parliament that reviewed the proposal were quite perceptive. The issues they raised still need to be addressed by the industry and by civil society.
The attendees heard a good presentation on the advantages of Global Platform to attain inter-operability and vendor independence, by Kevin Gillick. Peter Macauley presented the challenges faced by the Government of Ontario’s pilot of credentials for physical and logical access control. There was an interesting panel on the Western Hemisphere Travel Initiative by Catherine Johnston, Clive Addy and James Sheire. Deborah Gallagher made a very clear presentation on the US Department of Defense’s Common Access card, and its extension to the rest of the US Government via PIV.
My main take-home point was that there seems to be a lot of interest from various departments on the use of card technologies, but that there seems to be a vacuum as to how to organize such large-scale projects.
Interesting discussion also on a topic from the audience, i.e. how one could use FIPS 201 to facilitate common access for the 2010 Winter Olympics in Vancouver. This is a great showcase and a great idea. Maybe the Feds could negotiate with the Organizing Committee and do it in exchange for a sponsorship… Just a thought.
I have the privilege of speaking at Cardware 2007, one of the symposiums organized by ACT Canada (more information at http://www.actcda.com/calendar/symposium.htm). The purpose of my presentation is to illustrate what retailers need to know in preparation of the EMV migration.
You are all invited to attend as the program promises to be interesting. I will post my Powerpoint presentation as soon as the symposium is over.
I think it is worthwhile to have a space where people from around the world can share their views on these issues. My role will be to moderate the exchanges, of course, while provoking discussions by posting topics as frequently as possible.
I mean this blog to be as open as feasible. Just as long as people are respectful of each others’ opinion… I will also use the space to talk about topics that are dear to me.
. I have said repeatedly that EMV is likely to happen in the USA, but not soon, probably not the way it has been done up to now, and probably through contactless. And this is exactly what the Smart Card Alliance has concluded as well (see