Is CHIP + PIN the Solution for Fraud in Card Payments?

18 10 2006

Hi all,

This first post is about something I have been researching since last may: credit card transactions.

As many of you probably know, there are a lot of vulnerabilities in the widely used stripe card system that is deployed in most of the credit cards in the world. It is very easy to clone a card, just by reading the information on the magnetic stripe or even by having access to the card number, holder name, expiration date and CVV number. Targeted systems include e-commerce stores, which use customer credit card details to process orders that are made online.

Security developments on cardsThere’s been a lot of interesting developments on the smartcard industry on the last years. These developments could allow a great reduction on the number of fraud that happens when credit card details are captured and cloned cards are used to make unauthorised purchases of goods and services. The chart below, extracted from Royal Holloway, University of London Professor Chris Mitchel’s lecture notes, show some of these developments in context and the escalation of fraud in relation to such developments

We can clearly see a tendency of growth, making it clear that criminals rapidly absorb these countermeasures and develop ways to circumvent the protections that are implemented. loss of profits that led to Chip and Pin development on the 90s

One of the latest technologies that have been deployed, especially through the Eurocard-Matercard-Visa system (EMV) is both CAM, or Card Authentication Method and CVM, or Cardholder Verification Method. In its latest form, these consist of a set of industry standards for the use of Smartcard technology to authenticate credit and debit cards successfully, while making sure that the card holder is really the person authorised to use the card.

If you have ever used a magnetic stripe credit card, you have probably signed a paper slip after conducting a transaction. The purpose of that signature is to guarantee the merchant that you are who you say you are. In fact, that is the second of a two way authentication: something you have (card) and something you are (signature – we could regard this as a form o biometrics). What many people don’t know is that if you dispute a transaction, the bank will ask the Merchant for the signed slip. If the merchant fails to provide that slip with an authentic signature you can successfully repudiate the transaction and the liability (loss) is the Merchant’s.

Of course there is a great number of ways to fool this system. From merchants who don’t check the signature, MOTO (Mail Order-Telephone Order) and on-line purchases where you don’t sign any slip, to bad guys stealing cards that arrive at your mail box, this system has proven not to be very secure, justifying a number of initiatives to protect the bank’s reputation and minimizing loss.

The business case for introducing the CAM and CVM that are being rolled out in Europe these days was considered in the 1990’s. By comparing the losses in fraud versus the investment necessary to implement the technology and processes necessary to support such scheme, banks decided to go for the Smartcard or Chip and PIN technology.

Basically, this works as a substitute for the signature slip. Instead of signing a paper slip, which is expensive to check in case of transaction repudiation, not applicable for all forms of transactions (as MOTO transactions for example) and are easily fraud by stealing unsigned cards, you would type a PIN (Personal Identification Number, or a pass number that is usually a 4 digit number) in the POS (Point of Sale, or machine where you swipe your card when making a payment). That way we substitute the signature (a form of biometrics) for the PIN (something you know) and make a secure two factor authentication (something you have – card – something you know – PIN)

Two mechanisms are used to ensure that the authorization for a transaction is not vulnerable to fraud. The CAM and the CVM.

CAM, or Card Authentication Method, is the way that the POS checks if the card is cloned and valid. If we are using Smartcards, there are two main ways of doing this: The SDA (Static Data Authentication) or DDA (Dynamic Data Authentication). The difference is that, in the first one, the card has a digital signature from the bank stored on its memory. When requested, the card presents that signature to the POS and it compares with another signature generated by the Bank CA stored on the POS itself. This makes SDA to be vulnerable to replay attacks, where a malicious POS would capture the signature and the card could be cloned by writing that signature in another smartcard.

On the DDA, there is a challenge-response mechanism, which prevents the POS (or malicious card reader) to have access to the instrument used for authentication. Thus, it is impossible for an attacker to perform the same attack as described above. The attacker would have to break into the smartcard that is theoretically a tamper resistant mechanism.

Of course that SDA cards are cheaper and easier to implement, but this vulnerabilities can introduce problems. For you to have an idea on the importance of such difference, Shell Petrol Stations have halted the use of Chip and Pin cards (SDA cards) . after £1 million fraud in the UK on may 2006. That event shook the confidence in the technology, but it should be seen as proof that the use a Smartcard doesn’t mean instant security. The correct technology should be selected on a base of cost-benefit analysis instead of saving some money on the last mile of a project.
There’s been a lot interesting work on SDA vulnerabilities and problems. I would suggest interested readers to take a look at the Point-of-Sale Terminal Interceptor that was developed by Mike Bond from the Computer Laboratory of the University of Cambridge. . Royal Holloway, University of London also has a great laboratory which conducts interesting research in the field.

It should also be noted that other modes of CAM also exist, like CDA, or Combined Data Authentication, but that is only a variation on DDA that prevents some minor attacks on its architecture.

The other side of it is the CVM, or Cardholder Verification Method. This consists of the smartcard verifying that the PIN typed on the POS by the payer is the correct PIN. This is an offline transaction, so the POS don’t have access to the bank’s network to perform the CVM.

While the PIN is stored securely in a theoretically tamper resistant smartcard, attacks usually involve the use of malicious POS. When the cardholder types his/hers PIN on the POS, it captures it and can know that it is a valid one when the smartcards confirm the verification of the cardholder. Solutions for this involve the use of a secure POS, but are complicated as the POS stay on the merchant’s facilities and are prone to wedge attacks and physical tampering for example.

While these technologies represent a great advance for payment systems, we are far away of proper use of technology. Cases like the one with Shell prove that processes are not in place to guarantee the proper architecture and authorization of payments and both academia and industry should collaborate for more open, secure and strong standards to avoid fraud and low costs of banking in our society.

There is much more to be explored on this topic. From Online Payment Authentication and Authorization schemes, like 3-D Secure, to Mobile Commerce, which I shall discuss on further articles. In the mean time I would love to hear your questions, feedback and opinions about this post. Please leave a comment or send me an e-mail at daniel acciolyrosa com.

References

Web:

Wikipedia Smartcards page: http://en.wikipedia.org/wiki/Smartcards
Wikipedia EMV page: http://en.wikipedia.org/wiki/EMV
Application and Business Security Developments – Royal Holloway, University of London Chris Mitchel’s lecture notes: http://www.isg.rhul.ac.uk/~cjm/IY5601/index.htm
Royal Holloway, University of London Smartcard Centre: http://www.scc.rhul.ac.uk/
Computer Laboratory of the University of Cambridge – Point-of-Sale Terminal Interceptor: http://www.cl.cam.ac.uk/~mkb23/interceptor/
EMVCO: http://www.emvco.com/

Books:

D. O’Mahony, M. Peirce and H. Tewari, Electronic Payment Systems for ECommerce. Artech House (2001), 2nd edition.

Advertisements

Actions

Information

33 responses

21 10 2006
Rodrigo Colares

Congratulations, Daniel, that’s a fantastic initiative. Freedom of information, that’s the nature of the internet, and I’m sure we all have much to lear about InfoSec with you. I’m really thinking about following your steps and start up my own blog on IT Law, but I’m afraid I won’t have time (or patience, or, err.. both) to develop it as I would like to. Anyway, that’s an ideia.

4 09 2007
Neon

Once a security feature was given away online you can not consider this feature as secure anymore.

17 09 2010
luiz

Irmão parabéns pela matéria!
Sou mergulhador de plataforma (off shore) gostei da matéria onde posso aprender mais sobre o assunto? Qual é a ciência que tenho que estudar para poder trabalhar com essa area ? Automação, eletrônica? Me ajude estou anos procurando algo sobre e você apresentou um conhecimento e tanto.
Parabéns pelo blog serei seu seguidor aqui do Brazil

9 02 2013
http://yahoo.com

I actually think this post , “Is CHIP + PIN the
Solution for Fraud in Card Payments? Daniel’s Blog”, especially compelling and the post was indeed a wonderful read. I appreciate it,Marlene

2 03 2013
Georgia

I found this particular blog post , “Is CHIP + PIN the Solution
for Fraud in Card Payments? | Daniel’s Blog” http://adrianart.com , incredibly enjoyable and it ended up being a wonderful read. Many thanks,Maricruz

10 04 2013
http://Primeonlinesolutions.com

“Is CHIP + PIN the Solution for Fraud in Card Payments?

| Daniel’s Blog” genuinely enables myself ponder a small bit more. I really adored every particular part of this post. Thanks a lot -Ludie

14 08 2013
Charla

I had been exploring for techniques for my own
blog site and found your article, “Is CHIP + PIN the Solution for Fraud in
Card Payments? | Daniel’s Blog”, would you care in the event that I personally implement a number of ur tips? Thanks a lot -Lora

16 08 2013
Fawn

I truly tend to go along with almost everything that has
been put into writing inside “Is CHIP + PIN
the Solution for Fraud in Card Payments? | Daniel’s Blog”. Thanks a lot for all the actual tips.Many thanks,Cecil

31 12 2013
Jeffrey

“Is CHIP + PIN the Solution for Fraud in Card Payments?
| Daniel’s Blog” was indeed extremely compelling and educational!
In the present day society that is quite hard to execute.
Thanks, Trudi

1 01 2014
Debora

Thanks a lot for using some time to create “Is CHIP + PIN the Solution
for Fraud in Card Payments? | Daniel’s Blog”.

Thank you once more ,Evie

2 01 2014
Carolyn

Many thanks for composing “Is CHIP + PIN the Solution for Fraud in Card
Payments? | Daniel’s Blog”. Iwill absolutely end up being returning for even more reading through and writing
comments in the near future. Thanks, Mary

2 01 2014
Christena

I would like to take note of this blog post, “Is CHIP + PIN the Solution for Fraud in Card Payments?
| Daniel’s Blog” on my page. Do you care in the event that I actuallydo?

Many thanks ,Vania

2 01 2014
Kandice

Your personal post, “Is CHIP + PIN the Solution for Fraud in Card Payments?
| Daniel’s Blog” ended up being worth commenting on!
Only wished to announce you did a wonderful job.

Many thanks ,Jestine

6 03 2014
music online editing

Thanks for your marvelous posting! I truly enjoyed reading it, you might be a great author.
I will make certain to bookmark your blog and may come back down the road.
I want to encourage you to ultimately continue your great work, have
a nice afternoon!

10 05 2014
business grant

Heya i’m for the first time here. I found this board and I find It really useful
& it helped me out a lot. I hope to give something back and aid others like you helped me.

21 08 2014
livedynamite.com

livedynamite.com

Is CHIP + PIN the Solution for Fraud in Card Payments? | Daniel’s Blog

23 08 2014
mouse click the up coming web site

mouse click the up coming web site

Is CHIP + PIN the Solution for Fraud in Card Payments? | Daniel’s Blog

24 08 2014
Visit Webpage

Visit Webpage

Is CHIP + PIN the Solution for Fraud in Card Payments? | Daniel’s Blog

25 08 2014
deurkrukdate.tk

deurkrukdate.tk

Is CHIP + PIN the Solution for Fraud in Card Payments? | Daniel’s Blog

1 09 2014
next page

next page

Is CHIP + PIN the Solution for Fraud in Card Payments? | Daniel’s Blog

3 09 2014
Miami heat

Miami heat

Is CHIP + PIN the Solution for Fraud in Card Payments? | Daniel’s Blog

5 09 2014
related web-site

related web-site

Is CHIP + PIN the Solution for Fraud in Card Payments? | Daniel’s Blog

8 09 2014
visit their website

visit their website

Is CHIP + PIN the Solution for Fraud in Card Payments? | Daniel’s Blog

11 09 2014
click the up coming post

click the up coming post

Is CHIP + PIN the Solution for Fraud in Card Payments? | Daniel’s Blog

11 09 2014
try what he says

try what he says

Is CHIP + PIN the Solution for Fraud in Card Payments? | Daniel’s Blog

15 09 2014
more tips here

more tips here

Is CHIP + PIN the Solution for Fraud in Card Payments? | Daniel’s Blog

21 09 2014
horaciobalderas200.soup.io

horaciobalderas200.soup.io

Is CHIP + PIN the Solution for Fraud in Card Payments? | Daniel’s Blog

23 09 2014
nutsvsguts

nutsvsguts

Is CHIP + PIN the Solution for Fraud in Card Payments? | Daniel’s Blog

23 09 2014
read more

read more

Is CHIP + PIN the Solution for Fraud in Card Payments? | Daniel’s Blog

25 09 2014
discover here

discover here

Is CHIP + PIN the Solution for Fraud in Card Payments? | Daniel’s Blog

27 09 2014
228.24

228.24

Is CHIP + PIN the Solution for Fraud in Card Payments? | Daniel’s Blog

28 09 2014
486loan.com

486loan.com

Is CHIP + PIN the Solution for Fraud in Card Payments? | Daniel’s Blog

12 07 2017
Raina

Skype has opened up its internet-structured client beta to the entire world, right
after establishing it broadly within the Usa and U.K. previous this calendar month.
Skype for Online also now facilitates Chromebook and Linux for immediate online messaging communication (no voice and video yet, individuals call for a plug-in installment).

The expansion in the beta brings assist for an extended set of languages to help reinforce that global user friendliness

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: