02.13.10
Attacks againts EMV: should we panick?
I have been consulting with Financial Institutions worldwide on the implementation of EMV for 10 years now. My compliments to the team at the University of Cambridge Computer Laboratory for continuing to research potential weaknesses in the payment system. This is how to make a system better: peer review!
The proposed attack scenario is actually not new; I wrote about it 9 years ago. The attack seems to point to a weakness in the implementation choices made. Fortunately, there are very simple counter measures that are available to protect cardholders and all participants in the payment ecosystem from this type of attack. There are weaknesses in the system, but there are ways of protecting against them. Send me an email at rbastien@millenium3-ecommerce.com for more information.
What really shocked me was the paper presented by Christopher Tarnovsky at Black Hat on February 2nd, 2010. Once again, the attack scenario is not new. I have known of electron microscope probing and defeating overlays for 19 years now. The novelty of the attack seems to be in how to trick the CPU is disclosing information. This warrants intensive peer review.
Bottom line: all systems are vulnerable. It is not viable to design systems that are foolproof. Someone will always find a way in. We need to focus on building a sturdy enough system so that criminals will go to a weaker target. This is what we have with EMV. The weaker target is the magnetic stripe and the USA’s reluctance to strengthen this token.