Written by
Technorati Tags: emv, retail, security
What is even more odd is that a couple of people said something to the effect of “did you know that chip and PIN has been cracked” or “what do you think about supposedly tamper-proof Chip and PIN terminals being hacked” neither of which were claims made by the researchers. After pointing out that there is nothing in EMV that requires terminals to be tamper-proof (they have to be tamper-evident, which is entirely different) and that to the best of my knowledge none of the manufacturers have claimed them to be tamper proof, I refer them to APACS. To be completely honest, I thought the APACS media response was a little flat. I would have said “since criminals have already demonstrated this attack in the field (see the notorious Shell case), these researchers seem a little behind the curve”. Sandra Quinn of APACS actually said ‘Our experts are in discussion with the manufacturers of terminals to see what can be done.’ The answer is, of course, nothing. And it has nothing to do with chip & PIN. As a class of threat, this is no different from the old ruse of putting an “out of order” sign on the bank nightsafe and pretending to be a security card. If you can persuade consumers to put their card and PIN into a box under your control, then you can skim the details.
Does it matter? Probably not. Insofar as it is a threat, it’s because the card details and PIN can be used to manufacture counterfeit magnetic stripe cards (the security of the chip isn’t compromised) and these can be used in foreign ATMs to withdraw money because “fallback” is allowed: that is, a card that doesn’t have a working chip can still be used via the magnetic stripe.
The long term solution — apart from turning off fallback — is to stop having this sort of POS terminal where the card details and customer PIN are both “known” in the same place. If I can persuade the industry to buy into my vision (in which the “smarts” and the PIN never leave the customers’ hands — because they are in the customer’s Mobile phone), even the theoretical threat will be reduced.
My opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public. [posted with ecto]
Dave,
You are exactly right. If you look at our light-hearted original weblog post,
http://www.lightbluetouchpaper.org/2006/12/24/chip-pin-terminal-playing-tetris/
you will notice that we did not claim anything new. In fact, this has been known to the banks/APACS since at least March 2005. So, it is not new to them either. The media hyped it a bit, but that’s their job, I suppose. APACS’s job is to calm things down, and that’s what Quinn did. She did admit that there is a real vulnerability in our demonstration, something she has never done before when our group came out with real attacks on EMV. That’s progress in my book.
The trouble is that the tamper resistance in the terminals protect the banks, not the customers. When you open a terminal (and the tampering mechanisms work) it will not be able to communicate with the bank any longer. This, however, does not prevent that very same terminal from being used as a fake one. Nothing new, we simply took the time to demonstrate it.
Tamper evidence seals are very hard to make. Even if there were any such mechanisms in place, educating the users to check for them reliably would be very hard. Short of the terminal exploding upon opening there isn’t much that could be done (this would also prevent servicing them). Even that would be useless, as fake enclosures could be made cheaply as well. The plethora of terminals in every kind of shape size and color, compounds the difficulty. Currently, the customer can’t do much aside from avoiding anything that looks shady.
We estimated that it would take at most one man month worth of work to do what we did. The technical level can be regarded as moderate, if that. Quinn claims that this can not be replicated outside the lab, but as you say, we know better.
cheers.
“it will not be able to communicate with the bank any longer.”
But this is a key distinction. i.e. changing the innards (to just harvest PINs) is, as you demonstrate, relatively easy but replacing them with something that continues to function undetected with the POS application/bank is harder. And you need to do that in order to use it in anything other than a completely “evil” retail environment (although I’m sure that will happen one of these days like that hilarious “LINK” ATM in London a few years back)
The fact that in the Shell incident they compromised the unit and then apparently got it working again with the original EMV firmware(i.e. the tamper mechanisms were somehow defeated)is actually much more of an issue.
I should also mention that at least one manufacturer has indeed claimed “tamper proof” in the past. I have the product sheet to prove it….
“I should also mention that at least one manufacturer has indeed claimed “tamper proof” in the past. I have the product sheet to prove it….”
I stand corrected.
As Saar points out, I think we are in violent agreement 🙂
In the past, we have had private emails from others in the banking industry who are frustrated with the APACS PR. I think the problems stems from APACS not wanting to admit even the slightest problem with Chip & PIN. This leads them to make such odd statements even when their engineers would have been telling them that the risk is well understood and inherent to the system design chosen.
I tried to get this across in my Radio 5 interview, explaining that there were no 100% secure solutions and that Chip and PIN was not broken. I think we would all be better off if APACS was willing to discuss known security weaknesses openly so they may be mitigated.
While there is such a large gap between the expectations and implementation of a system, disappointment is inevitable. When the gap between claimed security and actual security moves into the court system, there is a very real risk of injustice.
As for your fallback comments, it seems that this is not only a foreign problem but ATMs in the UK will also accept magnetic strip forgeries.
http://www.lightbluetouchpaper.org/2006/06/12/chip-and-skim-2/
A further risk which we didn’t bring up as it would just muddy the waters, is clones of SDA cards for offline use, although I am sure you are well aware of this already.
http://www.dailymail.co.uk/pages/live/articles/news/news.html?in_article_id=389084
Speaking as a journalist, they simply need expert comment to make an article publishable – there’s no implied insult (although I imagine most journalists dream of the day when they do have an original thought – I certainly do).
In terms of making a terminal truly tamper evident, there must presumably be some work being done in intelligent materials that could be leveraged – i.e. something that actually shows on the casing if the terminal is compromised. That would no doubt be expensive.