the emv protocol suite · the emv protocol suite • named for europay-mastercard-visa with uk...
TRANSCRIPT
TheEMVprotocolsuite
• NamedforEuropay-MasterCard-VisawithUKbranding‘chipandPIN’
• Developedlate1990s;deployedinUK2003–6• Europe,Canadafollowed;USAfrom2015• Banks’bigideadea:ifPINused,blamethecustomer,elseblamethemerchant.
• Whatcouldpossiblygowrong?
nCipher2020
CardfraudhistoryLo
sses
(£m
)
Year
2004 2006 2008 2010 2012 2014 2016 2018Total (£m) 504.7 439.5 467.6 580.7 676.8 479 481.2 452.7 499.8 553.4 597.5 755.6 768.8 731.4 844.9
010
020
030
040
050
0
Card-not-presentCounterfeit
Lost and stolen
ID theft
Mail non-receipt
Chip & PIN deployment period
Mobile banking
Phone banking
Online banking
nCipher2020
EMVshiftedthelandscape…
• Likebulldozingafloodplain,itcausedthefraudtofindnewchannels
• Card-not-presentfraudshotuprapidly• Counterfeittookacoupleofyears,thentookoffoncethecrooksrealised:– It’seasiertostealcardandpindetailsoncepinsareusedeverywhere
– Youcanstillusemag-stripfallbackoverseas
nCipher2020
Attackthecrypto?• EMVbrokeallthecryptographichardwaresecuritymodulesintheworld!
• AtransactionspecifiedbyVISAtosendanencryptedkeytoasmartcardleakedkeysinstead
• See‘Robbingthebankwithatheoremprover’,PaulYoun,BenAdida,MikeBond,JolyonClulow,JonathanHerzog,AmersonLin,RonaldLRivest,RossAnderson,SPW2007
• JolisnowBarclays’CISO…nCipher2020
Attacktheoptimisations
• CheapcardsareSDA(nopublickeycrypto,staticcert)
• A‘yescard’candofraudoffline
• DoneinFrance,phasedoutfrom2011
nCipher2020
Whataboutafalseterminal?
• Replaceaterminal’sinsideswithyourownelectronics
• CapturecardsandPINsfromvictims
• Usethemtodoaman-in-the-middleattackinrealtimeonaremoteterminalinamerchantsellingexpensivegoods
nCipher2020
Therelayattack(2007)
PIN
$2000$20
PIN
attackers can be on oppositesides of the world
Dave
Carol
AliceBob
$
nCipher2020
Attacksintherealworld
• Therelayattackisalmostunstoppable,andweshoweditinTVinFebruary2007
• Butitseemsnevertohavehappened!• Foryears,mag-stripfallbackfraudwaseasy• PEDstamperedatShellgaragesby‘serviceengineers’(PEDsupplierTrintechwentbust)
• Then‘TamilTigers’• AfterfraudatBPGirton:weinvestigate
nCipher2020
TVdemo:Feb262008
• PEDs‘evaluatedundertheCommonCriteria’weretrivialtotap
• Acquirers,issuershavedifferentincentives
• GCHQwouldn’tdefendtheCCbrand
• APACSsaid(Feb08)itwasn’taproblem…
• Khancase(July2008)nCipher2020
The‘No-PIN’attack
• HowcouldcrooksuseastolencardwithoutknowingthePIN?
• Wefound:insertadevicebetweencard&terminal
• Cardthinks:signature;terminalthinks:pin
• TV:Feb112010
nCipher2020
AnormalEMVtransaction
1. Card details; digital signature $$$
PIN
transaction;cryptogram
result$ 5. Online transaction authorization (optional)
card
merchant
2. PIN entered by customer
3. PIN entered by customer; transaction description
4. PIN OK (yes/no); authorization cryptogram
customer
issuer
nCipher2020
A‘No-PIN’transaction
nCipher2020
Blockingthe‘No-PIN’attack
• Intheory:mightblockatterminal,acquirer,issuer• Inpractice:mayhavetobetheissuer(aswithterminaltampering,acquirerincentivesarepoor)
• BarclaysblockeditJuly2010untilDec2010• Realproblem:EMVspecvastlytoocomplex• With100+vendors,20,000banks,millionsofmerchants…atragedyofthecommons!
• Laterbankreaction:wrotetouniversityPRdepartmentaskingforOmarChaudary’sthesistobetakendownfromthewebsite
• By2015HSBCblockedit;2017,otherUKbankstoonCipher2020
EMVandRandomNumbers• InEMV,theterminalsendsarandomnumberNtothecardalongwiththedatedandtheamountX
• Thecardcomputesanauthenticationrequestcryptogram(ARQC)onN,d,X
• WhathappensifIcanpredictNford?• Answer:ifIhaveaccesstoyourcardIcanprecomputeanARQCforamountX,dated
nCipher2020
ATMsandRandomNumbers(2)
• LogofdisputedtransactionsatMajorca:
• Nisa17bitconstantfollowedbya15bitcountercyclingevery3minutes
• Wetest,&findhalfofATMsusecounters!
nCipher2020
2011-06-28 10:37:24 F1246E04
2011-06-28 10:37:59 F1241354
2011-06-28 10:38:34 F1244328
2011-06-28 10:39:08 F1247348
ATMsandRandomNumbers(3)
nCipher2020
ATMsandRandomNumbers(4)
nCipher2020
Thepreplayattack
• CollectARQCsfromatargetcard• Usetheminawickedterminalatacollusivemerchant,whichfixesupnoncestomatch
• PaperacceptedatOakland2014,thenalivecase…
• Sailorspent€33onadrinkinaSpanishbar.Hegothitwithtentransactionsfor€3300,anhourapart,fromoneterminal,throughthreedifferentacquirers,withATCcollisions
nCipher2020
AuthorisedPushPayment
• Notonmygraphasnotcalculatedthesamewayinpreviousyears
• Howeverit’sshotupto£354.3million–secondonlytoremotepurchasefraudandmorethantherestputtogether
• HasbeensurfacedthankstoFCA/PSRaction• Theregulators’attentionisoverdueandwelcome…
nCipher2020
Thedeathof2FA
• PSD2gotbankstomake2fauniversal• Attacksrampinguprapidly!• SIMswapstartedinSouthAfrica,thenNigeria,thentheUSAsinceabout2016(itgotgoingthereasawayofstealinginstagramaccounts)
• SS7hackingusedtobetheagencies’baby• UsedinGermanyforbankfraudin2016,intheUKlastyear
• GermanbanksconsiderSMS2FAobsolete…nCipher2020
nCipher2020
More…
• Seewww.lightbluetouchpaper.orgforourblog• Andhttp://www.cl.cam.ac.uk/~rja14/banksec.htmlforourpapersonpayments
• WorkshoponEconomicsandInformationSecurity(WEIS):nexteditioninBrussels,June2020
• SeeArvindNarayanan’slatestpaperonSIMswap• Andmybook‘SecurityEngineering–AGuidetoBuildingDependableDistributedSystems’(thechapteronBankingandBookkeepingisunderway)