Hacking EMV security

EMV is a great security measure, but isn’t the silver bullet the industry claims it is.

Brand Barney, Security Analyst at SecurityMetrics
By: Brand Barney
Fact: With every card present transaction, there exists a risk of fraud. Right now in the United States, and where EMV is NOT fully implemented, data is being stolen from POS terminals and cloned in droves. That’s why the industry is pushing the EMV initiative. EMV will help eradicate fraud at the card present transaction.

Hacking EMV security
EMV transactions include a chip-generated dynamic data element that is unique for every transaction. This dynamic data element prevents the successful creation of counterfeit cards, even if credit card data is compromised.



Some banks, merchants, and customers have touted EMV as unhackable, and the silver bullet of security. I do not believe any technology is absolutely unhackable. With the right amount of time and technology, the best hackers have a chance at breaching any security technology. But the technology behind EMV makes it extremely difficult for attackers (who generally go for the lowest hanging fruit) to attack.

It’s still possible to hack payment terminals.

Let me show you a couple videos showing potential vulnerabilities that may affect payment terminals. Some of these videos are older and the vulnerabilities they represent may have been addressed by POS vendors. By listing them below, I’m simply stating that vulnerabilities in payment terminals are always possible.
  • In this 2012 video you’ll see how simple physical tampering of an EMV terminal works. An EMV skimming device is easily inserted into the EMV machine, capturing card data. Every week the attacker can visit the skimming terminal, insert a fake EMV card into the terminal, and use the programmed chip on his fake card to download all the gathered data. 
  • Here’s an example of a RAM scraper that illustrates how all POS systems that do not encrypt at swipe can be vulnerable.
  • In this 2013 video, you’ll see that someone has made an app that steals EMV contactless card data simply through its proximity to the card.

Heads up

Right now, hackers are exploring and exploiting other, easier vulnerabilities within merchant networks.

In particular, online transactions are at great risk. If you have an ecommerce site, prepare for a major spike in ecommerce attacks. Online fraud increased 21% in Europe in 2012, in part due to EMV. Jeremy King of the PCI SSC says once the US moves to EMV, we will see a move of fraud to card-not-present environments.

EMV security
Since hackers historically flock to the easiest place to get data, we can assume that hackers will follow that same trend in the U.S.


In addition, the EMV liability shift date is October 1, 2015. Even though EMV adoption is voluntary, after October 1, liability for the costs associated with card compromise will fall completely on the company not using EMV.


Hackers know about the liability shift, and are refining their attack methods today.
Hackers are looking for ways they can steal your data before you transition to EMV.

Conclusion

We don’t often see an industry-wide initiative for security, but EMV is a great example of the industry banding together to stop fraud in its tracks. Even if it is possible (though not probable) that EMV terminals could be hacked, this move towards security is a great step to thwart criminals.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.

5 things payments should watch for in 2015