Chip And PIN Is Broken (A Little)

By now, there has been sufficient hype around Ross Anderson’s latest attack on EMV banking cards. Once again, the Cambridge guys have scored a good one here, as the simplicity of the attack is outright incredible: Intercept the PIN Presentation command, make the terminal believe that the PIN is correct (i.e., return Status Word 9000), while never sending the APDU to the card. After that, the terminal thinks that the PIN was presented correctly, and the card thinks that no PIN was presented. OK, let’s stop here for a minute.

Most of us, who don’t know the EMV specs by heart, would believe that the PIN authentication is part of the card applet’s state machine. After all, Chip and PIN seem to be very tightly connected to each other. Well, it isn’t the case, and PIN verification is just something that may happen, or not. So, the discrepancy can go unnoticed.

When looking at the EMV protocol in greater details, like they do in the article, we notice that the information is actually present, but that we are missing a method to consolidate the various bits of information. Some items are optional, while some others (the IAD) use proprietary formats, and are not intended to be parsed on the terminal. Basically, there are solutions to counter the attack, but they are not obvious to implement. If you want all the technial details, refer to the full paper.

Now, what does this attack tell us about the EMV Protocol? Well, it has a vulnerability, like many (all?) other security protocols, at least in the way it is most often implemented in practice. It’s a rather big one, too, which shows that smart card protocols most likely get less interest than others. It also shows that simple is not only beautiful, but also secure, or at least that the complexity of systems like EMV, with all its options, is becoming a real security issue.

Then, another issue is that the ability to perform over-the-air software updates to fix vulnerabilities is becoming standard, on computers, on phones, and even on some TVs and soud systems, provided that they are connected to Internet. Well, such things remain hard to do on payment terminals, and also on smart cards, even though th security of these devices is critical. Can we really expect card operating systems to become more complex if we aren’t able to maintain them over their lifetime? Probably not, and that transition is going to be tough.

Another thing that this attack reminds us of is that smart cards are just another security measure, which cannot be perfect. The paper contains the usual attacks against UK banks who, according to the authors, make customers liable as soon as PIN authentication is used on a bad transaction. Here, the problem is not the technology, it is the system around it. Magstripe technology is far more broken, but if the insurance provided by US banks is better, then the consequence is that the customer, in the end, is better off with the lower security, because their insurance provided by their banks is better.

About PIN security itself, it is in fact very easy to guess the number typed by a person on a keypad, even without seeing the keypad. You can make the experience in any European supermarket line: simply try to guess the PIN typed by the people in front of you. You will notice that in many cases, you have the feeling that you got a lot of information about that PIN. Add to that the fact that you are far from being a trained professional, and you can get an idea of the problem: protecting a PIN is difficult. As far as I know, in France, where Chip and PIN has been the rule for many years, it is not too hard to avoid liability even if our PIN has been disclosed. The PIN is not a miracle, and it cannot solve all problems.

Finally, a positive note. We are getting quite a lot of attacks on smart cards these days. The program of Cardis 2010 includes 6 papers on attacks, and the published state-of-the-art is getting closer to the laboratories’ state-of-the-art. Some might say that this is dangerous for cards, but some others will say that this is actually a positive evolution, moving away from the “smart cards are secure” dogma into a “smart card can help build good security models” logic. And if we use that logic to build business models that ultimately benefit final customers, then all of this will have been a step in the right direction.

One Comment

  • lexdabear wrote:

    There is a press release from the German ZKA that the debit cards issued in Germany are not prone to this attack. Apparantly this attack can be countered by the backend system (or the terminal itself) by comparing some data received from the card. So it seems an issuer problem, not the EMV protocol itself.
    Also not mentioned in the paper that this attack cannot be done on ‘locked’ cards once the fraud was reported.

Leave a Reply

Your email is never shared.Required fields are marked *