The proposed attack scenario is actually not new; I wrote about it 9 years ago. The attack seems to point to a weakness in the implementation choices made. Fortunately, there are very simple counter measures that are available to protect cardholders and all participants in the payment ecosystem from this type of attack. There are weaknesses in the system, but there are ways of protecting against them. Send me an email at rbastien@millenium3-ecommerce.com for more information.

What really shocked me was the paper presented by Christopher Tarnovsky at Black Hat on February 2nd, 2010. Once again, the attack scenario is not new. I have known of electron microscope probing and defeating overlays for 19 years now. The novelty of the attack seems to be in how to trick the CPU is disclosing information. This warrants intensive peer review.

Bottom line: all systems are vulnerable. It is not viable to design systems that are foolproof. Someone will always find a way in. We need to focus on building a sturdy enough system so that criminals will go to a weaker target. This is what we have with EMV. The weaker target is the magnetic stripe and the USA’s reluctance to strengthen this token.

Why would EMV be required in the USA?

Fraud mitigation and risk reduction are the real answer.  Many payment executives in the USA believe that there is no real fraud issue currently because fraud, as a % of transaction value, is not increasing.   The problem is that, in absolute numbers, fraud is increasing.  That problem will be compounded in time with fraud migrating from EMV countries to the USA.  So American issuers and acquirers are likely to import much more fraud, my guess is within 3 to 5 years.

Risk reduction is another issue that is partly linked to fraud mitigation.  Credit card debt in the USA is US$10,000 per household.  Americans are quite adept at rolling debt into new accounts, keeping payments at a manageable level.  But this is a huge industry issue.  A lot of that debt is of sub-prime quality.  There is a huge default risk as we have seen in the last year.

The combined effect is likely to be a prudent risk management strategy that, hopefully, will lead to a required technology update.  The Smart Card Alliance’s position paper is a step in the right direction.

My 2 cents’ worth on this important issue.  First, the EMV specifications partly address the risk factors during manufacturing and distribution of POS devices.  This is done through device and application certification.  The application code should normally be signed and the signature validated at boot-up.  This is not perfect though, as it leads to attack scenarios that can easily work around this control.  But it is a start!

More importantly, one of the key weaknesses of EMV (and I have been saying so for 10 years now) is that the card and terminal do not mutually authenticate at the beginning of a transaction.  This is a fundamental weakness.  It would have required secure key storage in POS terminals, something the authors of the original specs did not have the stomach to impose.

In the end, I fear this weakness will come back and haunt the industry.  As per Chris Paget’s suggestion, a Trusted Platform Module would help (see http://www.trustedcomputinggroup.org/) and there a lot of solid work has been done in this group and is readily usable in POS devices.

Bottom line:  we cannot go back to bartering!  We have to continue using plastic (physical or virtual) to pay for goods and services.  It is quick, convenient, economical for all parties involved.  But we need to keep the bad guys out or users will lose confidence in the system.

René

Do not get me wrong.  The PCI standards are definitely a step in the right direction.  The industry, and by that I mean card issuers, transaction acquirers, merchants need to smarten up.  Card payment is a necessity in this day and age.  It is convenient for all parties involved in a payment transaction.  Do you think we could revert back to bartering (how many goats again for this flat screen TV?)?  How about walking around with  $2,000 cash in $20 bills to pay for this TV?  Or should we go back to cheques (who would assume the risk, what are the costs)?  The industry needs to embrace the necessity to protect cardholder data, otherwise cardholders will lose faith in the system.  Or worse, politicians will regulate the system.  Bruce Schneier has been saying for years that the best way of getting rid of poor security is to sue the culprits for software liability; see http://www.schneier.com/blog/archives/2007/08/house_of_lords_1.html for an example.  Why not extend this reasoning to the payment industry?

But PCI is only a part of the solution.  And Heartland is a prime example of this point.  All stakeholders in the payment system must take a holistic approach to the protection of sensitive data.  PCI compliance needs to be a part of the security posture of all stakeholders, not just going through an audit and having all of the check marks in the proper columns.  The security posture itself must be designed from the start to protect data.  Stakeholders are entrusted with information they do not, or should not, own.  Stakeholders, as part of their fiduciary obligations, should do the utmost to protect this information.

There are solutions out there that take a holistic approach to the protection of data.  Contact me if you need information; I will try and help as much as I can.

René

René

René

Do not hesitate to post comments if you have anything to add!

Best regards,

René

It was interesting to note that some of the discussions centered on a National ID Cards. I am adding the text of an article that was prepared for Card Technology in November 2003 on that topic. It is interesting to see that the contents of the article is still of actuality, i.e. that the Members of Parliament that reviewed the proposal were quite perceptive. The issues they raised still need to be addressed by the industry and by civil society.

The attendees heard a good presentation on the advantages of Global Platform to attain inter-operability and vendor independence, by Kevin Gillick. Peter Macauley presented the challenges faced by the Government of Ontario’s pilot of credentials for physical and logical access control. There was an interesting panel on the Western Hemisphere Travel Initiative by Catherine Johnston, Clive Addy and James Sheire. Deborah Gallagher made a very clear presentation on the US Department of Defense’s Common Access card, and its extension to the rest of the US Government via PIV.

My main take-home point was that there seems to be a lot of interest from various departments on the use of card technologies, but that there seems to be a vacuum as to how to organize such large-scale projects.

Interesting discussion also on a topic from the audience, i.e. how one could use FIPS 201 to facilitate common access for the 2010 Winter Olympics in Vancouver. This is a great showcase and a great idea. Maybe the Feds could negotiate with the Organizing Committee and do it in exchange for a sponsorship… Just a thought.

Have a nice day, all!

You are all invited to attend as the program promises to be interesting. I will post my Powerpoint presentation as soon as the symposium is over.

See you all in Toronto on June 25th.

René

It will be interesting to see how the technology is accepted by cardholders and merchants, and if there are any technology issues. More to follow as soon as information becomes public!

René