The CVV on the chip should be CVV3 which is rather different from CVV1.

Perhaps it should be, but that is not what the banks in the UK have done. All the cards we have looked at use the same CVV on the magstripe as they do in the “Track 2 equivalent data” field on the chip.

The card which the ITV team sucessfully used to withdraw money had a magstripe generated from the original card’s chip data.

Which banks have you found whose cards have a different CVV on the chip?

This is not the case. The CVV on the chip should be CVV3 which is rather different from CVV1.

In fact, this is the protection that should be in place in order to prevent one from getting to know the magstripe data (including CVV) just by listening to the communication between the terminal and the chip.

Agreed but they are also, crucially, not very reliable unless you pay heavily for it; which retailers are always reluctant to do (especially given the fact that the cost is multiplied by the number of stores they operate)

Add to that the stores which will inevitably be too far away from the exchange for even cheap xDSL connectivity (petrol stations, ironically enough, are the classic example here) and, as Mike says, it becomes very difficult to assume “online” as the default scenario.

>Not exactly “adversary”.

Don’t get me wrong, I’m not saying the default relationship between customer and bank is adversarial. But if you happen to be in dispute, an assumption I explicitly made in the post, I would say that this is by its very nature an adversarial relationship.

>I consider SDA and DDA marginal. Comminications are
>nowadays avaliable, cheap and fast. Go online.

Yes I agree that in today’s connected world offline should become less and less common. But I think security for offline operation will remain important even if it becomes a rare occurrence, because despite the good connectivity of today, guarantees of availability are hard to come by.

Suppose the authorisation requests from a big department store are routed via the internet to the acquirer (through all sorts of encrypted tunnels and VPNs). Now imagine a DDoS attack gets aimed at their gateway, and they lose their connectivity. That afternoon, a troop of crims with SDA ‘Yes cards’ go in and start ripping the place off. The store would lose even more business if it shut, so it daren’t do that.

Now in that situation there is a clear advantage to DDA. Not saying this is an imminent mode of attack, but just that there is a different between having connectivity to improve security and assuming connectivity to improve security.

Mike.

>The Application Cryptogram shows that the genuine card was
>not used. The customer is off the hook.

Sadly the application cryptogram can only be verified by the bank — it’s symmetric cryptography based and they obviously can’t lend out the key. So this provides no assurance for the customer if it is the bank they are in dispute with — only their adversary can let them off the hook.

Not exactly “adversary”.

The AC is verified by the issuer bank, whereas the money is claimed by the acquirer bank.

Even when it is the same bank, I find it hard to believe they would actually cheat.

Anyhow, offline transactions are decreasing in number and are in any case limited to relatively small amounts. I consider SDA and DDA marginal. Comminications are nowadays avaliable, cheap and fast. Go online.

Steven, I think forcing multiple PINs is probably untenable long term. Basically at the end of the day, when you consider going across totally heterogeneous systems operated by different parties, there’s no way you can enforce that people use different passwords for each. So why try to have it in banking? It’s a battle you can’t win long term. When Mastercard CAP comes for internet banking, it would be really nice to have a different PIN for that as for POS payment, to get separation between the systems, but then thats a third contender…

With regards to the relay attack, TillMonkey and Jon discuss whether various foreign devices inserted into POS terminals are concealable or practical.

We must consider here, first and foremost the incentives of the involved parties to detect such devices, their possible tacit and explicit collusion, and what rewards or benefits there might be from them doing their part. The standard of concealment actually attainable I believe is a second priority, and I think this is a question where many of us can do little more than speculate.

Steven’s analogy of the children’s magician is maybe a little tame… magicians may be great at making rabbits appear from inside their coats, but a more relevant sleight of hand is that of the shoplifter, who does the same sort of trick, except in reverse.

I think that the relay attack is doable, it will end up as a real threat; it is the attachable interceptor that we prototyped that will have the limited lifespan. It may well work for a while, but once DDA cards come in and the PIN goes in encrypted form, it will no longer become an economical attack method. By this I don’t mean that POS attacks will stop, just that this specific POS attack vector will become obsolete. Then it will probably be cheaper to use whole counterfeit terminals, maybe. Or maybe go back to double-swiping and hidden camera… after all, that’s proven technology.

Jon, I think this shows that security evaluation standards are an imperfect tool. Standards have so many problems, especially when many players only buy kit that conforms to a standard because of regulatory body requirements, or suchlike. I have never gone out to buy a fluffly toy for my kid and looked for the “CE” mark on the bottom; the presence of such a mark only comes into play when things go wrong and it’s litigation time. Its such a complicated multi-way relationship between POS terminal manufacturers, till software integrators, merchants, acquiring banks and issuing banks that its very difficult to tell who relies upon a security evaluation, who comissioned the evaluation, and who wrote the standard. The chances of the economic incentives of all these parties being properly aligned is slim, I guess, so problems persist.

The majority of POS terminals in use must undergo security evaluations, which look for such vulnerabilities. It would be interesting to determine if these evaluations are effective in weeding out badly designed terminals. The recent shell case calls this into question as the trintech terminal was evaluated under Visa PED, ZKA and perhaps “APACS Common Criteria”.

I do however agree that these “issues” are brought to light so that banks cannot claim that chip and pin offers perfect security.

It sounds like it would actually mean a green plastic “card” covered in soldered contacts with wires leading into bad guys’ pocket being used at the target POS?

There are already contactless smartcards available, so producing a wireless relay is clearly technically feasible. The open question is whether it is possible to make with readily available components. Fabricating a special purpose IC is not inconceivable for crooks (e.g. modchips), but might make this attack uneconomical.

Even if wires are needed, in a previous case I heard of, the crook melted fine wires into the body of a real card. Where the card is not handled by the shop staff, I think the sleight of hand required to pull this off is well below the standard of your average children’s party magician. In some places I have seen, the terminal is on the customer’s side of a screen, making it even easier.

Having different cards or PINs for ATMs, Chip & PIN and use abroad would also improve security.

A good idea but it’s back to consumer acceptance I’m afraid: it’s been difficult enough to get people to start using PINs at all. Telling them they also need different ones for the same debit/ATM multifunction card would’ve been a marketing non-starter (and, for good or ill, the the marketers will always win…..)

P.S. While we’re talking about DDA, remember real-time relay attacks are still on the cards.

I may be missing a point but wouldn’t a “real world” relay attack just be practically impossible? It sounds like it would actually mean a green plastic “card” covered in soldered contacts with wires leading into bad guys’ pocket being used at the target POS? I know shop staff have cheerfully watched people signing “Donald Duck” for years but this would require a degree of negligence/collusion that would would be impossible to explain away come chargeback time….??