A few weeks ago, Cambridge’s team of security researchers published a paper about the small card readers that are currently being deployed as a way to make online banking more secure. Their article is quite critical, and I would just like to review the vulnerabilities that they mention, because I don’t think that these products are as dangerous than they make us believe.
This first argument is a good one. Having a portable PIN-checking device is good news for muggers, who will now be able to check their victim’s PIN code from the comfort of their (victim’s) own home. As the authors mention, it would have been much better to let the user know about the “Wrong PIN” issue only after validating an online authentication or purchase, as it would have made it more difficult for muggers to get their information.
The bad news is that the readers are out now, and that muggers can freely get their hands on one, or they can order one from Internet.
The argument about wearing of the reader’s keys doesn’t seem as good. Keys take a lot of abuse before wearing, and a CAP reader is not a device that one will use 10 times a day every day. In practie, I am not sure that this vulnerability is really significant (this can be tested, though).
The CAP application can be implemented on pure software using publicly available documents. This is true, but this threat sounds much less significant to me. Because EMV is protected by copyright and other means, “official” software vendors are quite unlikely to include a piece of software that banks and payment associations don’t want to see. Of course, anybody with some smart card experience could write a program that emulates the CAP reader, but who would be stupid enough to give his PIN to a program written by an unknown developer. In addition, smart cards always faced the problem that PCs aren’t equipped with readers, and I believe that this is still very common today.
Attacks based on a tampered-with terminal definitely can work, but they are very hard to industrialize, because payment networks have become quite good at identifying the source of a card fraud (i.e., the vendor that has been used by several cards before a given attack). This severely limits the exploitation of this vulnerability.
Like the previous one, this attack is real, but difficult to implement. The attack requires the attacker to sell modified CAP readers, which are then returned because they are designed to stop working (after recording your card information and PIN code, naturally). How many modified CAP readers can a thief sell on eBay before getting caught? Most likely, not much. In addition, the logistics is quite complicated.
The other idea consists in fitting a GSM module (with a SIM card) in the CAP reader. This vulnerability does not make any economic sense, because a CAP reader is intended for personal use, and the price of a GSM module (with some kind of a subscription) is likely to be greater than the price of buying the card information on the black market.
This one is really nice, and a beautiful extension to traditional phishing. Once a victim responds to a phishing e-mail, the next communication will consist in asking for some use of the reader, in order to authorize the transaction. This is of course quite natural; if somebody falls for phishing, this same person will keep going through the authentication process, almost regardless of the process.
I believe that this actually is a weakness of these devices. With a slightly larger screen, it would be possible to display a more detailed message, and therefore to reduce the likelihood of phishing.
These weaknesses seem to be specific to the use of the readers by the banks. All the weaknesses mentioned in the paper are quite trivial, and seem to result from the fact that banks have not been adequately trained about the use of the devices. Hopefully, this will get fixed in the near future.
To conclude on these vulnerabilities, I believe that they are not that easy to exploit, except by muggers (but, as I mentioned, it is too late to stop the muggers now, as they already have bought their CAP reader).
On the other hand, CAP readers are a good security measure, which can make online banking and payment safer. Their exploitation is only starting, and we can hope that it will improve in the coming years. In addition, other two-factor authentication means are becoming available, for instance using mobile phones, which will bring more diversity and hopefully more security to this field.