Credit card vendors yet to fix skimming vulnerability

Security researches are urging credit card providers to fix a so-called skimming hole in their electronic payment protocol through which criminals can harvest PIN codes that can be used, along with stolen cards, to empty bank accounts.

The security flaw can be mended by the credit card companies, but they don’t think that it is necessary.

The skimming hole was found in the Europay, Mastercard and Visa (EMV) standard, a global standard for interoperation of bank cards that incorporate built-in chips. Criminals can use the security flaw to steal PIN codes, which in combination with stolen credit cards that work with the codes, can be used to rob the owners’ bank accounts.

During the CanSecWest security conference in March this year a team of security researchers from Inverse Path and Aperture Labs revealed the skimming hole in the EMV protocol. They built a prototype skimmer device, also known as a “shim,” that can be inserted in a point of sales (POS) terminal. The hole was revealed over a month ago and is still exploitable.

“We … think this is a sign of weakness of the EMV protocol,” said Andrea Barisani, chief security engineer at Inverse Path in an e-mail interview. “And its over-complexity and design flaws are one of the key features that our research is trying to point out.” This method of skimming PIN codes is very hard “if not impossible” to detect, Barisani stresses.

EMV consist of two parts: an EMV chip that is embedded in credit cards, and the EMV standard, which handles the authentication of credit card transactions. The system was made to ensure security and global interoperability and continuing acceptance of credit cards. The EMV standard is managed by Visa, Mastercard, American Express and JCB International through the public corporation EMVCo.

In their paper “Chip & PIN definitely broken,” the Inverse and Aperture researchers reveal a hole in the system’s verification process. It is possible to tamper with the Cardholder Verification Method (CVM) list that is contained in a file on the credit card. POS terminals will accept altered CVMs and this makes it possible for skimmers to harvest PIN codes of cards used in the skimmed terminal.

Barisani’s research is verified by Ross Anderson, professor of computer engineering at the University of Cambridge. In 2008 he published a paper about a similar flaw in the EMV protocol. Inverse Path and Aperture Labs used this paper as a basis for their research.

“The CVM downgrade attack is novel, and a useful discovery. It means that PIN encryption just isn’t done properly in EMV, and the protocol should be changed to fix it,” he said in an e-mail interview. “It wouldn’t surprise me if the bad guys had also built such devices — but as the banks now just dump the cost of fraud on cardholders, they’re not looking very hard for trojanned terminals and it might be a while before we found out what was going on.”

The credit card providers deny the hole is important and argue that it is only small part of EMV security. “In response to the report in March 2011 ‘Chip and PIN is Definitely Broken’, it is EMVCo’s view that when the full payment process is taken into account, suitable countermeasures are available,” said the credit card providers in an e-mailed statement.

EMVCo argues that it is well known that PINs can be stolen by the use of a variety of techniques like PIN pad overlays, hidden cameras, shoulder surfing, bogus terminals and social engineering. Using a rogue shim is seen as “just another technique” that can be used for skimming.

“The mitigation against this threat is that no transaction can be performed without also stealing the card where card cryptography operations are required for a successful transaction. This allows normal lost and stolen payment system protections to apply. Conversely the mitigation against a genuine card being abused if lost or stolen is that the thief will not have access to the PIN, hence the PIN has a role to play despite the ‘eavesdropping threat’ and remains an important tool for protecting against lost and stolen fraud,” EMVCo stressed.

Barisani confirms a card would have to be stolen to be used by skimmers. However the discovered security flaw can be easily fixed. “This is a bug/error that can be reasonably fixed with firmware updates (…) on the terminal side or by changing the EMV specification. The mentioned EMV Specifications ‘security features’ are insufficient or not correctly implemented and the room for downgrade attacks (like ours) is large,” he Barsiani warned.

Anderson concurs. “There is a serious governance flaw in EMV, as in many other payment networks,” he said.

Other organizations should also take responsibility in the matter, but a lack of coordination will hinder progress, Anderson noted. “EMVCo may have developed the standard but now that it exists it’s in effect controlled by the vendors. Neither 100 vendors, nor 10,000 banks, are sufficiently coordinated to be capable of fixing anything,” he said.

There is another problem, Anderson said. “Banks act slowly — it takes years to reprogram systems and more years to replace the card base.”

It is ultimately down to the bank regulators to set the rules, Anderson said. “For example, I have talked at a number of events organised by the US Federal Reserve urging them to not let EMV into the USA until the known bugs are fixed. As for Europe, it would be nice if the European Central Bank were to flex its muscles, but they do not seem to have any staff who understand technical stuff.”

The European Central Bank declined to comment on the matter and pointed to the European Payments Council (ECP) for more information. The ECP also declined to comment.