Forward by Laura Baker, CyberWyoming
I thought this was a great explanation of how the chips actually work and wanted to share it with you! Thanks to Chris Bonatti, President of IECA of Casper, for letting us reprint his article.
by Chris Bonatti, President, IECA, Casper, WY
Credit and debit cards that incorporate an on-card chip— widely known as EMV cards—were supposed to be secure against skimmers and skimming malware. Nonetheless, recent attacks on US merchants have demonstrated that, depending on how the issuing financial institution has implemented the technology, there may be an opportunity to clone some EMV cards. The EMV card standard raises the bar for security by relying on an Integrated Circuit Card Verification Value (iCVV), also known as a “dynamic CVV”. Unlike the old CVV or Card Security Code (CSC) on traditional magnetic striped cards, the iCVV is not supposed to be disclosed by the card. Rather it is meant to be used in a secure protocol to validate a transaction’s authenticity. If a card is inserted into a chip reader, only the iCVV is used. However, for backward compatibility, most EMV cards today continue to have a traditional CVV encoded in the magnetic stripe (and printed on the back), and unfortunately some cards will allow equivalent data to be harvested from the EMV interface. Financial institutions are supposed to refuse a transaction that’s from a chip reader if it presents the traditional swipe transaction, or visa-versa. However, it’s now clear that many institutions have overlooked this important check. This is a form of downgrade attack, in which an attacker forces a system to use a weaker security protocol that can be more readily compromised.
Researchers at Cyber R&D Labs tested 11 chip card implementations from 10 different US and European banks, and found that 4 of those tested were exploitable in this manner. Their findings are detailed in a research white paper (see ‘www.cyberdlab.com/insights’). This has become a problem because of the increasing use of EMV card “shimmers”, card skimming devices that are specifically made to intercept data from chip card transactions. Wireless EMV cards compound the problem by making it possible to capture EMV transactions from nearby the point of sale. The Cyber R&D paper did not identify the issuers that failed their tests, but Visa has issued a security alert concerning EMV card verification that appeared to take notice of the research.
Whole new avenues of attack against EMV cards have opened up through payments enabled over the web and smart phones. Malicious payment apps, or embedded software skimmers have found ways to exploit logic flaws in the payment model implementation.