TheEMVprotocolsuite

•  NamedforEuropay-MasterCard-VisawithUKbranding‘chipandPIN’

•  Developedlate1990s;deployedinUK2003–6•  Europe,Canadafollowed;USAfrom2015•  Banks’bigideadea:ifPINused,blamethecustomer,elseblamethemerchant.

•  Whatcouldpossiblygowrong?

nCipher2020

CardfraudhistoryLo

sses

(£m

)

Year

2004 2006 2008 2010 2012 2014 2016 2018Total (£m) 504.7 439.5 467.6 580.7 676.8 479 481.2 452.7 499.8 553.4 597.5 755.6 768.8 731.4 844.9

010

020

030

040

050

0

Card-not-presentCounterfeit

Lost and stolen

ID theft

Mail non-receipt

Chip & PIN deployment period

Mobile banking

Phone banking

Online banking

nCipher2020

EMVshiftedthelandscape…

•  Likebulldozingafloodplain,itcausedthefraudtofindnewchannels

•  Card-not-presentfraudshotuprapidly•  Counterfeittookacoupleofyears,thentookoffoncethecrooksrealised:–  It’seasiertostealcardandpindetailsoncepinsareusedeverywhere

– Youcanstillusemag-stripfallbackoverseas

nCipher2020

Attackthecrypto?•  EMVbrokeallthecryptographichardwaresecuritymodulesintheworld!

•  AtransactionspecifiedbyVISAtosendanencryptedkeytoasmartcardleakedkeysinstead

•  See‘Robbingthebankwithatheoremprover’,PaulYoun,BenAdida,MikeBond,JolyonClulow,JonathanHerzog,AmersonLin,RonaldLRivest,RossAnderson,SPW2007

•  JolisnowBarclays’CISO…nCipher2020

Attacktheoptimisations

•  CheapcardsareSDA(nopublickeycrypto,staticcert)

•  A‘yescard’candofraudoffline

•  DoneinFrance,phasedoutfrom2011

nCipher2020

Whataboutafalseterminal?

•  Replaceaterminal’sinsideswithyourownelectronics

•  CapturecardsandPINsfromvictims

•  Usethemtodoaman-in-the-middleattackinrealtimeonaremoteterminalinamerchantsellingexpensivegoods

nCipher2020

Therelayattack(2007)

PIN

$2000$20

PIN

attackers can be on oppositesides of the world

Dave

Carol

AliceBob

$

nCipher2020

Attacksintherealworld

•  Therelayattackisalmostunstoppable,andweshoweditinTVinFebruary2007

•  Butitseemsnevertohavehappened!•  Foryears,mag-stripfallbackfraudwaseasy•  PEDstamperedatShellgaragesby‘serviceengineers’(PEDsupplierTrintechwentbust)

•  Then‘TamilTigers’•  AfterfraudatBPGirton:weinvestigate

nCipher2020

TVdemo:Feb262008

•  PEDs‘evaluatedundertheCommonCriteria’weretrivialtotap

•  Acquirers,issuershavedifferentincentives

•  GCHQwouldn’tdefendtheCCbrand

•  APACSsaid(Feb08)itwasn’taproblem…

•  Khancase(July2008)nCipher2020

The‘No-PIN’attack

•  HowcouldcrooksuseastolencardwithoutknowingthePIN?

•  Wefound:insertadevicebetweencard&terminal

•  Cardthinks:signature;terminalthinks:pin

•  TV:Feb112010

nCipher2020

AnormalEMVtransaction

1. Card details; digital signature $$$

PIN

transaction;cryptogram

result$ 5. Online transaction authorization (optional)

card

merchant

2. PIN entered by customer

3. PIN entered by customer; transaction description

4. PIN OK (yes/no); authorization cryptogram

customer

issuer

nCipher2020

A‘No-PIN’transaction

nCipher2020

Blockingthe‘No-PIN’attack

•  Intheory:mightblockatterminal,acquirer,issuer•  Inpractice:mayhavetobetheissuer(aswithterminaltampering,acquirerincentivesarepoor)

•  BarclaysblockeditJuly2010untilDec2010•  Realproblem:EMVspecvastlytoocomplex•  With100+vendors,20,000banks,millionsofmerchants…atragedyofthecommons!

•  Laterbankreaction:wrotetouniversityPRdepartmentaskingforOmarChaudary’sthesistobetakendownfromthewebsite

•  By2015HSBCblockedit;2017,otherUKbankstoonCipher2020

EMVandRandomNumbers•  InEMV,theterminalsendsarandomnumberNtothecardalongwiththedatedandtheamountX

•  Thecardcomputesanauthenticationrequestcryptogram(ARQC)onN,d,X

•  WhathappensifIcanpredictNford?•  Answer:ifIhaveaccesstoyourcardIcanprecomputeanARQCforamountX,dated

nCipher2020

ATMsandRandomNumbers(2)

•  LogofdisputedtransactionsatMajorca:

•  Nisa17bitconstantfollowedbya15bitcountercyclingevery3minutes

•  Wetest,&findhalfofATMsusecounters!

nCipher2020

2011-06-28 10:37:24 F1246E04

2011-06-28 10:37:59 F1241354

2011-06-28 10:38:34 F1244328

2011-06-28 10:39:08 F1247348

ATMsandRandomNumbers(3)

nCipher2020

ATMsandRandomNumbers(4)

nCipher2020

Thepreplayattack

•  CollectARQCsfromatargetcard•  Usetheminawickedterminalatacollusivemerchant,whichfixesupnoncestomatch

•  PaperacceptedatOakland2014,thenalivecase…

•  Sailorspent€33onadrinkinaSpanishbar.Hegothitwithtentransactionsfor€3300,anhourapart,fromoneterminal,throughthreedifferentacquirers,withATCcollisions

nCipher2020

AuthorisedPushPayment

•  Notonmygraphasnotcalculatedthesamewayinpreviousyears

•  Howeverit’sshotupto£354.3million–secondonlytoremotepurchasefraudandmorethantherestputtogether

•  HasbeensurfacedthankstoFCA/PSRaction•  Theregulators’attentionisoverdueandwelcome…

nCipher2020

Thedeathof2FA

•  PSD2gotbankstomake2fauniversal•  Attacksrampinguprapidly!•  SIMswapstartedinSouthAfrica,thenNigeria,thentheUSAsinceabout2016(itgotgoingthereasawayofstealinginstagramaccounts)

•  SS7hackingusedtobetheagencies’baby•  UsedinGermanyforbankfraudin2016,intheUKlastyear

•  GermanbanksconsiderSMS2FAobsolete…nCipher2020

nCipher2020

More…

•  Seewww.lightbluetouchpaper.orgforourblog•  Andhttp://www.cl.cam.ac.uk/~rja14/banksec.htmlforourpapersonpayments

•  WorkshoponEconomicsandInformationSecurity(WEIS):nexteditioninBrussels,June2020

•  SeeArvindNarayanan’slatestpaperonSIMswap•  Andmybook‘SecurityEngineering–AGuidetoBuildingDependableDistributedSystems’(thechapteronBankingandBookkeepingisunderway)