Pow SmarLcard aymenL

SysLems lall
8oss Anderson
8lack PaL 2014
1he LMv proLocol sulLe
named for Luropay-MasLerCard-vlsa, also
known as 'chlp and ln'
ueveloped laLe 1990s, deployed ln uk Len
years ago (2003-3, mandaLory 2006)
Lurope, Canada followed
AbouL Lo be deployed ln Lhe uSA (by 2013)
lasclnaung sLory of fallures and frauds
Many lessons for securlLy englneers!
8lack PaL 2014
ConcepL of operauons
Make forgery harder by replaclng Lhe mag
sLrlp wlLh a chlp, whlch auLhenucaLes card
Make auLhenucauon of cardholder sLronger
by replaclng Lhe slgnaLure wlLh a ln
keep verlfylng lns onllne aL A1Ms, buL verlfy
on Lhe chlp aL merchanL Lermlnals
Lncourage deploymenL by maklng Lhe
merchanL llable lf ln noL used ('llablllLy shl')
8lack PaL 2014
8lack PaL 2014
lraud hlsLory, uk
Cardholder llable lf
ln used
Llse merchanL pays
8anks hoped fraud
would go down
lL wenL up .
1hen down, Lhen up



2004 2005 2006 2007 2008 2009 2010 2011 2012
Total, ex phone (m) 503 491.2 591.4 704.3 529.6 441 410.6 462.7
! !
! !
! !
! !
! !
! ! !
! !
! !
! !
Lost and stolen
ID theft
Mail non!receipt
Online banking
Cheque fraud
Chip & PIN deployment period
Phone banking
LMv shled Lhe landscape.
Llke bulldozlng a oodplaln, lL caused Lhe
fraud Lo nd new channels
Card-noL-presenL fraud shoL up rapldly
CounLerfelL Look a couple of years, Lhen Look
o once Lhe crooks reallsed:
lLs easler Lo sLeal card and pln deLalls once plns
are used everywhere
?ou can sull use mag-sLrlp fallback overseas
1amper-reslsLance doesnL work
8lack PaL 2014
Auack Lhe crypLo
LMv broke all Lhe crypLographlc hardware
securlLy modules ln Lhe world!
A Lransacuon specled by vlSA Lo send an
encrypLed key Lo a smarLcard leaked keys
See '8obblng Lhe bank wlLh a Lheorem
prover', aul ?oun, 8en Adlda, Mlke 8ond,
!olyon Clulow, !onaLhan Perzog, Amerson Lln,
8onald L 8lvesL, 8oss Anderson, SW 2007
8en now works for Square, !ol for ueuLsche.
8lack PaL 2014
Auack Lhe opumlsauons
Cheap cards are
SuA (no publlc key
capablllLy, so sLauc
A 'yes card' can
lmpersonaLe ln an
oMlne Lermlnal
lalrly easy Lo do,
buL noL seen much
8lack PaL 2014
WhaL abouL a false Lermlnal?
8eplace a Lermlnal's
lnsldes wlLh your own
CapLure cards and lns
from vlcums
use Lhem Lo do a man-
ln-Lhe-mlddle auack ln
real ume on a remoLe
Lermlnal ln a merchanL
selllng expenslve goods
8lack PaL 2014
1he relay auack (2007)
$2000 $20
attackers can be on opposte
sdes of the word
8lack PaL 2014
Auacks ln Lhe real world
1he relay auack ls almosL unsLoppable, and
we showed lL ln 1v ln lebruary 2007
8uL lL seems never Lo have happened!
So far, mag-sLrlp fallback fraud has been easy
Lus Lampered aL Shell garages by servlce
englneers' (Lu suppller was blamed)
1hen1amll 1lgers
Aer fraud aL 8 ClrLon: we lnvesugaLe
8lack PaL 2014
1amper-proong of Lhe Lu
ln LMv, ln senL from ln
LnLry uevlce (Lu) Lo card
Card daLa ow Lhe oLher way
Lu supposed Lo be Lamper
reslsLanL accordlng Lo vlSA,
AACS (uk banks), Cl
'LvaluaLed under Common
Should cosL $23,000 per Lu
Lo defeaL
8lack PaL 2014
1amper swlLches (lngenlco l3300)

8lack PaL 2014
. and Lamper meshes Loo

8lack PaL 2014
1v demo: leb 26 2008
Lus evaluaLed under
Lhe Common CrlLerla
were Lrlvlal Lo Lap
Acqulrers, lssuers have
dlerenL lncenuves
CCPC wouldnL defend
Lhe CC brand
AACS sald (leb 08) lL
wasnL a problem.
khan case (!uly 2008)
8lack PaL 2014
1he no-ln auack
Pow could crooks use a
sLolen card wlLhouL
knowlng Lhe ln?
We found: lnserL a
devlce beLween card &
Card Lhlnks: slgnaLure,
Lermlnal Lhlnks: pln
1v: leb 11 2010
8lack PaL 2014
A normal LMv Lransacuon
1. Card details; digital signature
5. Online transaction authorization (optional)
2. PIN entered by customer
3. PIN entered by customer;
transaction description
4. PIN OK (yes/no);
authorization cryptogram
8lack PaL 2014
A no-ln Lransacuon
8lack PaL 2014
8locklng Lhe no-ln auack
ln Lheory: mlghL block aL Lermlnal, acqulrer, lssuer
ln pracuce: may have Lo be Lhe lssuer (as wlLh
Lermlnal Lamperlng, acqulrer lncenuves are poor)
8arclays blocked lL !uly 2010 unul uec 2010
8eal problem: LMv spec vasLly Loo complex
WlLh 100+ vendors, 20,000 banks, mllllons of
merchanLs . a Lragedy of Lhe commons!
LaLer bank reacuon: wroLe Lo unlverslLy 8
deparLmenL asklng for Cmar Chaudary's Lhesls Lo be
Laken down from Lhe webslLe
CurrenLly only PS8C seems Lo block lL ln Lhe uk!
8lack PaL 2014
Card AuLhenucauon roLocol
LeLs banks use LMv ln
onllne banklng
users compuLe codes for
access, auLhorlsauon
A good deslgn would Lake
ln and challenge / daLa,
encrypL Lo geL response
8uL Lhe uk one rsL Lells
you lf Lhe ln ls correcL
1hls puLs your personal
safeLy aL rlsk .
8lack PaL 2014
Crlme vlcums LorLured for lns

8lack PaL 2014
hlshlng auacks?
8lack PaL 2014
Less susplclous Lhan Lhls .
8lack PaL 2014
CA auacks Lhrough wlcked shops

code: 7365 5748

login: Vic Tim
SecureBank Inc.
8lack PaL 2014
LMv and 8andom numbers
ln LMv, Lhe Lermlnal sends a random
number n Lo Lhe card along wlLh Lhe daLe d
and Lhe amounL x
1he card compuLes an auLhenucauon
requesL crypLogram (A8CC) on n, d, x
WhaL happens lf l can predlcL n for d?
Answer: lf l have access Lo your card l can
precompuLe an A8CC for amounL x, daLe d
8lack PaL 2014
A1Ms and 8andom numbers (2)
Log of dlspuLed Lransacuons aL Ma[orca:

n ls a 17 blL consLanL followed by a 13 blL
counLer cycllng every 3 mlnuLes
We LesL, & nd half of A1Ms use counLers!
8lack PaL 2014
2011-06-28 10:37:24 l1246L04
2011-06-28 10:37:39 l1241334
2011-06-28 10:38:34 l1244328
2011-06-28 10:39:08 l1247348
A1Ms and 8andom numbers (3)

8lack PaL 2014
A1Ms and 8andom numbers (4)

8lack PaL 2014
1he preplay auack
CollecL A8CCs from a LargeL card
use Lhem ln a wlcked Lermlnal aL a colluslve
merchanL, whlch xes up nonces Lo maLch
aper accepLed aL Cakland Lhls year
Slnce Lhen, we have a llve case.
Sallor spenL t33 on a drlnk ln a Spanlsh bar.
Pe goL hlL wlLh slx Lransacuons for t3300, an
hour aparL, from one Lermlnal, Lhrough Lhree
dlerenL acqulrers, wlLh A1C colllslons
8lack PaL 2014
8ack end fallures Loo .
lnLeresung case ln 8 v arsons, ManchesLer
crown courL, 2013
AuLhorlsauon and seulemenL are dlerenL
sysLems wlLh dlerenL Lransacuon ows
AuLhorlsauon reversals noL auLhenucaLed
Pow Lo Lake Lhe banks for maybe 7.3m (and
Lhe banks only nouced 2.3m of lL .)
arsons now a fugluve from [usuce
8lack PaL 2014
ln Lhe uk we have no 8eg L, and no
breach reporung laws.

8lack PaL 2014
Auack scale
Small: a speclallsL Leam can demonsLraLe lL Lo
a 1v [ournallsL
Medlum: a gang of crooks can Lake a few
mllllon before Lhey geL caughL
Large: scales Lo nlne / Len gures and forces
lndusLry acuon
MosL of Lhe dlscussed auacks are 'medlum'
'Large' mlghL be conLalned uslng analyucs
8lack PaL 2014
8lack PaL 2014
WhaL does LMv hold for Lhe uSA?
lL looks llke Lhe eecLs of Lhe llablllLy shl
wlll be mlugaLed by 8eg L, 8eg Z, & Lhe led
Many banks may use chlp-and-slgnaLure, as
ln Slngapore
Consumer proLecuon mlghL sull be
undermlned by paymenL lnnovauon, e.g.
move from credlL cards Lo ln deblL, or
phone paymenLs
LMv wlLh less llablllLy shl wlll be an
lnLeresung naLural experlmenL!
8roader lessons
Covernance aL global scale ls hard
LMvCo largely superseded by vendor lobby .
leaLurlus can break anyLhlng!
lssuers, acqulrers have dlerenL lnLeresLs
(even lf deparLmenLs of Lhe same bank)
no-one represenLs Lhe poor consumer
key: proper documenLauon, lncludlng breach
noucauon and responslble vulnerablllLy
dlsclosure (nC1 Lhe Lu nlS ulrecuve!)
8lack PaL 2014
8lack PaL 2014
More .
Cur 2014 lLLL SecurlLy & rlvacy paper on Lhe
preplay auack
Cur 2012 lLLL SecurlLy & rlvacy paper on Lhe no-
ln auack
See for our blog
And hup://[a14/banksec.hLml
Workshop on Lconomlcs and lnformauon SecurlLy
(WLlS): nexL edluon ln Lhe neLherlands, !une 2013
My book 'SecurlLy Lnglneerlng - A Culde Lo 8ulldlng
uependable ulsLrlbuLed SysLems'
8lack PaL 2014

