Black Hat 2011 – Shark Week Continues with “Chip & Pin” and SQUARE
August 2011 by Michael Hayes CTO of B-4-U Inc. / ROBOTS-4-U
Even with this being Shark week, the biggest predators may be the banks with EMV drawing blood from the consumers even with their standard not fully implemented. Protection from sharks can be helped by tightening the implementation of the standard, and hopefully most aspects of this will be implemented before it lands in the U.S. . SQUARE on the other had is a light weight tool, that may help small vendors, but there is doubt that it would pass a PCI audit, this in-itself is not a deal breaker, but security needs to be tightened in this environment as well, to minimize the attraction of sharks.
Michael Hayes CTO of B-4-U Inc. / ROBOTS-4-U
Over the last week the discovery channel has been airing Shark Week, well while visiting Black Hat and DEFCON we discover that Shark week, can take place outside the water and on the Las Vegas strip.
During the presentation “Chip & Pin is Definitely Broken” the presenters showed that there are many possibilities for sharks to skim easily with many different techniques for Credit card skimming and PIN harvesting in an EMV world.
The four presenters Andrea Barisani, Adam Laurie, Daniele Bianco and Zac Franken not only talked about different issues impacting the ease of Credit Card skimming and PIN harvesting, they also demonstrated a unique application of Credit Card capture using the Product “SQUARE”.
Chip & PIN is Definitely Broken
What is EMV stands for as defined by Wikipedia is “ Europay, MasterCard and VISA, a global standard for inter-operation of integrated circuit cards and IC card capable point of sale (POS) terminals and automated teller, Credit Cards with a Chip in them ”.
In this case in the EU, liability shifts from the bank to the customer. With EMV,
the mag-stripe is still a fallback. A warning: a variant of EMV is coming to the US whether it is secure or not. So the key issue as stated by the presenters is that, EMV is broken, researchers at the University of Cambridge have proven that the stolen cards can be used without the pin. The industry claims it is difficult, but one bank in the EU has implemented a fix. As a matter of fact, the presented showed a low cost solution, smaller than a credit card that can be inserted into ATM machines, and a faceplate that transmits RF, to capture the pin numbers. This can be captured and transmitted in a walk by or walk up mode.
So the bypass is skimming, ATM Skimmers are showing up in the wild. Skimming with this technology is relatively easy, the chip is inherently accessible, and the users cannot detect the fraudulent hardware, which is typically super imposed in the physical ATM.
EMV smartcards, the terminal and card can query each other, without any pin verification; also this data is in plain text when queried. On the chip and pin cards there are SDA ( Static Data Authentication ) and DDA ( Dynamic Data Authentication ), information is transferred in clear text.
Key is the skimmer to detect cards and capture card data, a PIN can be intercepted in a number of ways including sending info in clear text, and small devices to capture PIN via RF. With $50 to $100 dollars each POS or ATM location can be changed.
Solutions, EMV, need to do Crypto from the start to the end of the process for each transaction.
SQUARE
This device allows small business owners of all types to process credit cards. SQUARE, plugs into your iPhone or iPad or PC easily and is free. This opens up an opportunity to buy a large number of credit cards on the open market (e.g. Russia). With this in play a vendor can pay for a service and transfer cash to a client. They can also clear 100’s of credit cards a day easily from anywhere.
SQUARE is not clearly busted, but there needs to be some discussion about end to end encryption and validation. This will protect both vendors and consumers. The concept is good, but implementation needs to be strengthened.
Related articles: