Hacking EMV security

EMV is a great security measure, but isn’t the silver bullet the industry claims it is.

Brand Barney, Security Analyst at SecurityMetrics
By: Brand Barney
Fact: With every card present transaction, there exists a risk of fraud. Right now in the United States, and where EMV is NOT fully implemented, data is being stolen from POS terminals and cloned in droves. That’s why the industry is pushing the EMV initiative. EMV will help eradicate fraud at the card present transaction.

Hacking EMV security
EMV transactions include a chip-generated dynamic data element that is unique for every transaction. This dynamic data element prevents the successful creation of counterfeit cards, even if credit card data is compromised.



Some banks, merchants, and customers have touted EMV as unhackable, and the silver bullet of security. I do not believe any technology is absolutely unhackable. With the right amount of time and technology, the best hackers have a chance at breaching any security technology. But the technology behind EMV makes it extremely difficult for attackers (who generally go for the lowest hanging fruit) to attack.

It’s still possible to hack payment terminals.

Let me show you a couple videos showing potential vulnerabilities that may affect payment terminals. Some of these videos are older and the vulnerabilities they represent may have been addressed by POS vendors. By listing them below, I’m simply stating that vulnerabilities in payment terminals are always possible.
  • In this 2012 video you’ll see how simple physical tampering of an EMV terminal works. An EMV skimming device is easily inserted into the EMV machine, capturing card data. Every week the attacker can visit the skimming terminal, insert a fake EMV card into the terminal, and use the programmed chip on his fake card to download all the gathered data. 
  • Here’s an example of a RAM scraper that illustrates how all POS systems that do not encrypt at swipe can be vulnerable.
  • In this 2013 video, you’ll see that someone has made an app that steals EMV contactless card data simply through its proximity to the card.

Heads up

Right now, hackers are exploring and exploiting other, easier vulnerabilities within merchant networks.

In particular, online transactions are at great risk. If you have an ecommerce site, prepare for a major spike in ecommerce attacks. Online fraud increased 21% in Europe in 2012, in part due to EMV. Jeremy King of the PCI SSC says once the US moves to EMV, we will see a move of fraud to card-not-present environments.

EMV security
Since hackers historically flock to the easiest place to get data, we can assume that hackers will follow that same trend in the U.S.


In addition, the EMV liability shift date is October 1, 2015. Even though EMV adoption is voluntary, after October 1, liability for the costs associated with card compromise will fall completely on the company not using EMV.


Hackers know about the liability shift, and are refining their attack methods today.
Hackers are looking for ways they can steal your data before you transition to EMV.

Conclusion

We don’t often see an industry-wide initiative for security, but EMV is a great example of the industry banding together to stop fraud in its tracks. Even if it is possible (though not probable) that EMV terminals could be hacked, this move towards security is a great step to thwart criminals.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.

5 things payments should watch for in 2015

4 comments:

  1. But a P2PE solution would have would have prevented the Target attack as there is no PAN in the open as neither the merchant nor the POS software can see the card number. Seems like P2PE should be touted as a bigger part of the solution to security for both EMV and Mag stripe transactions than is currently being done. So ram scrapers would be ineffective. Physical tampering is still a problem though, with this solution. Comments?

    ReplyDelete
    Replies
    1. IMHO there are many things that would have prevented the Target attack. P2PE is an excellent solution that I would highly recommend to any merchant or service provider that is looking to drastically reduce their risk.

      P2PE is gaining traction, albeit very slowly, but I agree that it does need to be touted more openly by the security community and by our banking counterparts. EMV is a small part of the pie, and it does help at the swipe, but with anything, merchants need to be hyper vigilant in their security efforts as attackers are always looking for new ways to get into our systems. Whether it is physical tampering, or socially engineering us into giving away our sensitive data...Maybe we haven’t properly locked down our admin accounts, or white listed applications. As you can likely see by my friendly rant, I am a major advocate for defense in depth. Stay safe and don’t put all of your eggs in one basket.

      -Brand Barney

      Delete
  2. I think defense in depth is bit like I like the bear analogy. You don't have to outrun the bear. you just have to outrun the guy next to you.

    ReplyDelete
  3. We cannot think of security as just the perimeter anymore. We have to look at protecting our data from every angle, from within and from without. We have to have a strategy for every layer of our network and data. And if the bear does get in…we need to know it and protect against it. We don’t run from bears around here :)

    -Brand Barney

    ReplyDelete