EMV is good, but isn’t the silver bullet the industry claims it is.
 |
| By: Brand Barney |
Banks, merchants, and customers have touted EMV as un-hackable. Unfortunately, this widely held perception about EMV is totally wrong.
EMV is fundamentally a secure technology itself, however vulnerabilities inherent in EMV-enabled POS terminals and processes don’t allow it to be the silver bullet the industry wants it to be.
Let me explain.
Chip and PIN vs. chip and signature
Two types of transactions take place with EMV. Chip and pin, and chip and signature. Chip and PIN works when a customer inserts a card, and enters his unique pin. (Kind of like a debit card.) Chip and signature works when a customer inserts a card, and signs his signature. (Kind of like how credit cards currently work.)In my opinion, chip and PIN is the more secure method. Entering a unique PIN is better proof of cardholder presence than a signature, you either know the pin or you don’t. (Keep in mind your PIN can still be stolen).
The problem with chip and signature is, the only way to truly know if the signature that was signed is your signature, is to have a signature analyst analyze it to ensure it was you that actually signed it. Not very practical, and there is no way to know how long that dispute process could take, or what hoops customers might have to jump through.
Chips can be reprogrammed
EMV brings another new mechanism for hackers to explore: the chip on the EMV card. Think about it. We’re inserting a chip into a machine. Chips can be reprogrammed to cause a poorly implemented EMV enabled POS terminal to misbehave. It would seem that without the proper controls, these chips could make it easier for hackers to attack a company.The point is, hacking is still possible with EMV. EMV cards can still be cloned (though it’s a much more complicated process). Remember the 70 million individuals affected by the Target hack? EMV wouldn’t have saved a single one of those cards from compromise.
Will EMV secure credit cards, or not?
The industry as a whole still seems to think EMV will make things better. Will it lessen fraud at card present transaction? Yes. But it won’t stop hackers from stealing data from merchants.Hackers are still going to exploit vulnerabilities. The same vulnerabilities exist in EMV terminals that exist in today’s point-of-sale terminals (e.g., malware, man in the middle attacks, sloppy POS installation, etc.)
My point? Hackers can and will exploit EMV just as easily as they exploit point-of-sale terminals today.Don’t believe me? Let me show you a couple videos.
TweetHow to hack an EMV machine
Most point-of-sale installers and architects won’t admit that EMV terminals may have weaknesses. Check out a few of these videos and you’ll see the reality.
In this video you’ll see how simple physical tampering of an EMV terminal works. An EMV skimming device is easily inserted into the EMV machine, capturing card data. Every week the attacker can visit the skimming terminal, insert a fake EMV card into the terminal, and use the programmed chip on his fake card to download all the gathered data.Here’s another example of a RAM scraper.
In this video, you’ll see that someone has made a malicious app that steals EMV contactless card data simply through its proximity to the card.
Do you think it’s hard to physically tamper with an EMV device? Well look at how easily these guys did it.
You can even program your EMV chip to activate a Tetris game on a poorly configured EMV card reader for heaven’s sake! (Just a note: you’ll probably never get a high score playing like that...)
Kill the magnetic stripe!
Another problem in the United States is that all EMV terminals still have the capability to process magnetic stripe cards. And they will for the foreseeable future. Forester estimates that EMV won’t be fully implemented until 2020.Even the United Kingdom, who rolled out EMV in 2004, have terminals that take magnetic stripe cards to confirm to American tourists without EMV chip cards.
So what’s the problem with magnetic stripes?
The magnetic stripe on the back of your credit card contains all of the data needed for a malicious entity to clone your card, and none of it is encrypted. Once it’s been skimmed, the attacker can sell the card on illegal hacker credit card sites or flip purchases made with the cloned card on legitimate sites.
By the time the account holder realizes they’ve been compromised, the attacker has likely stopped using that card and long since moved on.
If I was a hacker, here’s how I would completely bypass EMV.
If I’m in line to buy an item from a store, I might put a piece of electrical tape on my EMV chip and jam it in the EMV terminal (I’m guessing no one will notice). The EMV terminal malfunctions. Well, I still have to pay for my items, so I ask if I can just swipe my credit card. It is highly likely that the swipe functionality will not be disabled for this very reason. Now, if I can hack or tamper into that POS terminal (which shouldn’t be too challenging as we saw attackers in a previous video doing earlier), I can get all the magnetic stripe data. No bothersome EMV chips to worry about.Heads up
Hackers aren’t going to stop because of EMV.The EMV liability shift date is October 1, 2015. Even though EMV adoption is voluntary, after October 1, liability for the costs associated with card compromise will fall completely on the company not using EMV.
Hackers know that, so they are coming at merchants now. They are refining their attack methods today. They are looking at ways they can steal your data before you transition to EMV, and after.
You might consider encrypting all your cardholder data through point-to-point encryption (P2PE). I highly recommend it as something everyone should consider. Learn more about how P2PE works or P2PE trends in 2015.
Here’s another heads-up. If you have an ecommerce site, prepare for a major spike in ecommerce attacks. Currently, breach trends in the U.S. are approximately comprised of 80% point-of-sale and 20% ecommerce, while Europe reflects the inverse, where 80% of the successful attacks target ecommerce, followed by 20% against card-present merchant environments.
Since hackers historically flock to the easiest place to get data, we can assume that hackers will follow that same trend in the U.S.
Conclusion
We don’t often see an industry-wide initiative for security. Unfortunately, EMV doesn’t change much.The good thing is, EMV is marginally safer than the current card swipe system. And frankly, even a marginal move toward security is better than nothing. If this is a first step, there are thousands of other steps we have to go before we’re secure.
Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.
