Daniel's blog

Hi all,

This first post is about something I have been researching since last may: credit card transactions.

As many of you probably know, there are a lot of vulnerabilities in the widely used stripe card system that is deployed in most of the credit cards in the world. It is very easy to clone a card, just by reading the information on the magnetic stripe or even by having access to the card number, holder name, expiration date and CVV number. Targeted systems include e-commerce stores, which use customer credit card details to process orders that are made online.

There’s been a lot of interesting developments on the smartcard industry on the last years. These developments could allow a great reduction on the number of fraud that happens when credit card details are captured and cloned cards are used to make unauthorised purchases of goods and services. The chart below, extracted from Royal Holloway, University of London Professor Chris Mitchel’s lecture notes, show some of these developments in context and the escalation of fraud in relation to such developments

We can clearly see a tendency of growth, making it clear that criminals rapidly absorb these countermeasures and develop ways to circumvent the protections that are implemented. 

One of the latest technologies that have been deployed, especially through the Eurocard-Matercard-Visa system (EMV) is both CAM, or Card Authentication Method and CVM, or Cardholder Verification Method. In its latest form, these consist of a set of industry standards for the use of Smartcard technology to authenticate credit and debit cards successfully, while making sure that the card holder is really the person authorised to use the card.

If you have ever used a magnetic stripe credit card, you have probably signed a paper slip after conducting a transaction. The purpose of that signature is to guarantee the merchant that you are who you say you are. In fact, that is the second of a two way authentication: something you have (card) and something you are (signature – we could regard this as a form o biometrics). What many people don’t know is that if you dispute a transaction, the bank will ask the Merchant for the signed slip. If the merchant fails to provide that slip with an authentic signature you can successfully repudiate the transaction and the liability (loss) is the Merchant’s.

Of course there is a great number of ways to fool this system. From merchants who don’t check the signature, MOTO (Mail Order-Telephone Order) and on-line purchases where you don’t sign any slip, to bad guys stealing cards that arrive at your mail box, this system has proven not to be very secure, justifying a number of initiatives to protect the bank’s reputation and minimizing loss.

The business case for introducing the CAM and CVM that are being rolled out in Europe these days was considered in the 1990’s. By comparing the losses in fraud versus the investment necessary to implement the technology and processes necessary to support such scheme, banks decided to go for the Smartcard or Chip and PIN technology.

Basically, this works as a substitute for the signature slip. Instead of signing a paper slip, which is expensive to check in case of transaction repudiation, not applicable for all forms of transactions (as MOTO transactions for example) and are easily fraud by stealing unsigned cards, you would type a PIN (Personal Identification Number, or a pass number that is usually a 4 digit number) in the POS (Point of Sale, or machine where you swipe your card when making a payment). That way we substitute the signature (a form of biometrics) for the PIN (something you know) and make a secure two factor authentication (something you have – card – something you know – PIN)

Two mechanisms are used to ensure that the authorization for a transaction is not vulnerable to fraud. The CAM and the CVM.

CAM, or Card Authentication Method, is the way that the POS checks if the card is cloned and valid. If we are using Smartcards, there are two main ways of doing this: The SDA (Static Data Authentication) or DDA (Dynamic Data Authentication). The difference is that, in the first one, the card has a digital signature from the bank stored on its memory. When requested, the card presents that signature to the POS and it compares with another signature generated by the Bank CA stored on the POS itself. This makes SDA to be vulnerable to replay attacks, where a malicious POS would capture the signature and the card could be cloned by writing that signature in another smartcard.

On the DDA, there is a challenge-response mechanism, which prevents the POS (or malicious card reader) to have access to the instrument used for authentication. Thus, it is impossible for an attacker to perform the same attack as described above. The attacker would have to break into the smartcard that is theoretically a tamper resistant mechanism.

Of course that SDA cards are cheaper and easier to implement, but this vulnerabilities can introduce problems. For you to have an idea on the importance of such difference, Shell Petrol Stations have halted the use of Chip and Pin cards (SDA cards) . after £1 million fraud in the UK on may 2006. That event shook the confidence in the technology, but it should be seen as proof that the use a Smartcard doesn’t mean instant security. The correct technology should be selected on a base of cost-benefit analysis instead of saving some money on the last mile of a project.
There’s been a lot interesting work on SDA vulnerabilities and problems. I would suggest interested readers to take a look at the Point-of-Sale Terminal Interceptor that was developed by Mike Bond from the Computer Laboratory of the University of Cambridge. . Royal Holloway, University of London also has a great laboratory which conducts interesting research in the field.

It should also be noted that other modes of CAM also exist, like CDA, or Combined Data Authentication, but that is only a variation on DDA that prevents some minor attacks on its architecture.

The other side of it is the CVM, or Cardholder Verification Method. This consists of the smartcard verifying that the PIN typed on the POS by the payer is the correct PIN. This is an offline transaction, so the POS don’t have access to the bank’s network to perform the CVM.

While the PIN is stored securely in a theoretically tamper resistant smartcard, attacks usually involve the use of malicious POS. When the cardholder types his/hers PIN on the POS, it captures it and can know that it is a valid one when the smartcards confirm the verification of the cardholder. Solutions for this involve the use of a secure POS, but are complicated as the POS stay on the merchant’s facilities and are prone to wedge attacks and physical tampering for example.

While these technologies represent a great advance for payment systems, we are far away of proper use of technology. Cases like the one with Shell prove that processes are not in place to guarantee the proper architecture and authorization of payments and both academia and industry should collaborate for more open, secure and strong standards to avoid fraud and low costs of banking in our society.

There is much more to be explored on this topic. From Online Payment Authentication and Authorization schemes, like 3-D Secure, to Mobile Commerce, which I shall discuss on further articles. In the mean time I would love to hear your questions, feedback and opinions about this post. Please leave a comment or send me an e-mail at daniel acciolyrosa com.

References

Web:

Wikipedia Smartcards page: http://en.wikipedia.org/wiki/Smartcards
Wikipedia EMV page: http://en.wikipedia.org/wiki/EMV
Application and Business Security Developments – Royal Holloway, University of London Chris Mitchel’s lecture notes: http://www.isg.rhul.ac.uk/~cjm/IY5601/index.htm
Royal Holloway, University of London Smartcard Centre: http://www.scc.rhul.ac.uk/
Computer Laboratory of the University of Cambridge – Point-of-Sale Terminal Interceptor: http://www.cl.cam.ac.uk/~mkb23/interceptor/
EMVCO: http://www.emvco.com/

Books:

D. O’Mahony, M. Peirce and H. Tewari, Electronic Payment Systems for ECommerce. Artech House (2001), 2nd edition.