Threat Level: green Handler on Duty: Tom Webb

SANS ISC: Isn't it About Time to Get Moving on Chip and PIN? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Isn't it About Time to Get Moving on Chip and PIN?

I got to thinking about the 3 "big story" breaches that we've all been discussing over the last month or so.  Just adding things up, we're at a count of over 100 million cards and personal information disclosed.

Just thinking about it over the weekend, I realized two things:
1/ All these breaches affect the only region still using card-swipe only credit cards - the United States.
2/ The count of cards compromised is right around 1/3 the population of the United States

With this many cards compromised and needing replacement, isn't it time that the industry wakes up and smells the coffee? Everyone (yes everyone) else in the world has moved to Chip and PIN technology, which makes theft of credit cards much more difficult (though not impossible, looking at recent events in the UK).  These breaches illustrate (again) that the US staying on this old technology for cards has the effect of making theft of cards much easier in the US, focusing the attention of criminals on US cards.

If we're replacing that many cards, wouldn't RIGHT NOW be a really good time to issue 110 million bright, shiny new Chip and PIN credit cards for the folks who are the victims of these breaches?  I know that this would complicate things on the logistics side, but it's not new technology - this could certainly be arranged.  Even if the Chip / PIN technology isn't actually used (there are a boatload of machines that need replacing for one thing), it at least gets things moving in the right direction.

Please, share your thoughts on this in our comment form - am I off base?

===============
Rob VandenBrink
Metafore

Rob VandenBrink

497 Posts
ISC Handler
First, EMV has been planned for US deployment for a number of years dating back to 2011 with announcements from the major processors regarding support roadmaps. The US banks haven't been asleep, they just made a calculated decision to not fast-track Chip and PIN. The post at https://www.cs.columbia.edu/~smb/blog/2014-02/2014-02-05.html is a good primer on the topic.

If you want Chip and PIN to happen quickly, you need to create incentives. PCI-DSS isn't good enough and you can't throw the Target C-levels in jail or fine them for non-compliance to a standard that doesn't exist. As consumers it stinks that major breaches happened, but Chip and PIN is coming. The real question to ask is how to fix Chip and PIN's security flaws.
Anonymous
Off base, no, however smart-chips that use mechanical contacts to pull the data have a greater failure rate. Every time you run the card into the machine, it scratches the chip, which in-turn removes contact material. Additionally, if the chip gets wet or static hits it failure rate increases.

The WMS equipment using the Symbol/Motorola scanners could be fixed much easier and cheaper by implementing 3D barcode scanning. The card would be much cheaper to replace and is not affected by mechanical abrasion, electrical/static or water.

However, the most secure would be RFID & PIN like some cards have, no abrasion and wrapped safely in plastic. Just another thought.
ICI2I

63 Posts
I have a story today on ZDNet (http://www.zdnet.com/windows-xp-lives-on-in-atms-crisis-7000026106/) that discusses this in the context of ATMs, but I also talk about EMV. Over the next 2 years, maybe even within a year, you'll see widespread EMV coming out because VISA and Mastercard are going to require it. Acquirers who don't support it will be on the line for fraudulent transactions.
Larry Seltzer

24 Posts
I wanted to say something similar.

The push cannot come from banks or retailers because that stuff costs money and the consumers are largely ignorant that it even exists.

The push must come from the payment card industry or from the government.

I have also read that the Visa and Master Card are going to start putting banks and retailers on the hook for fraudulent charges from non Chip-and-PIN cards as early as next year. If that doesn't light a fire under some execs, nothing will.

Lord knows we have enough regulation as it is and the more specific it gets the easier it is to "just so" everything so that you comply but are actually less secure. Having a more flexible industry "suggestion" makes much more sense.
Jasey

93 Posts
Lots of moving parts to this. A cynical viewpoint suggests the cost of fraud has not exceeded the cost to migrate to EMV in the US, leading to the non-adoption of the technology. A more cynical viewpoint further suggests recent events may actually be affecting the bottom line of the very members of the PCI Council--this poll [1] shows that a third of respondents have used cash rather than cards in January in reaction to security concerns. And anybody else notice those big, full page ads by the card brands proclaiming zero liability in case of badness? Yes, the cynic in me thinks that perhaps the bottom line is being threatened a bit...

In October 2015, Visa has a liability shift scheduled--if a fraud could have been prevented by EMV, then the merchant is liable. The biggest expense to migrate is borne by merchants--those little EMV terminals are not cheap and there has been a lot of pushback on that date. I suspect the good that will come out of these recent large breaches is that the date will stick after all. "Right Now" is not likely to happen. But perhaps "As Scheduled" might.

And yes, the whole world but the US converted, long, long ago. Wet chips, scratched chips, all seem to be quite manageable. But open track data with open transactions is not.

[1] http://ap-gfkpoll.com/featured/ap-gfk-poll-breaches-not-changing-peoples-habits
Ben T

4 Posts
The cost is not the new cards, it barely costs more than postage for a new card to upgrade a card to EMV. The cost is upgrading every POS terminal to accept them. That is huge, and perhaps almost neck and neck with with current cost of fraud.

You can get EMV cards in the US from most card providers if you ask.
Ben T
4 Posts
I can make a couple of points here. First of all, upgrading is far more than replacing cards. All point-of-sale terminals need replacement. I have seen cost estimates of 10bn$ for the entire U.S. Merchants and banks didn't want to bear the cost, and each wanted the other to pay for it. And it isn't just replacing the terminals - lots of backoffice things need to be upgraded to be able to handle EMV transactions, and there is tons of testing and verification that needs to happen. But it sounds like merchants are suddenly finding religion on this - they realize that there can be huge stains to their reputation in addition to legal liabilities if their POS terminals become infected.

The banks in the U.S. who do issue EMV cards tend to issue chip-and-signature instead of chip-and-pin. Which works just fine in Europe - the handheld devices they use over there can deal with either one. The problem you might face is at an unattended kiosk of some sort (say you want to rent a "Boris-bike" bicycle in London, you apparently need a c&p card. Didn't try when I was there, so I don't know if that's a real problem). The card I have came from BofA, but I had to call and ask for it. Not all flavors of cards from BofA suppoprt EMV yet. I also called Amex, and they said it was not yet available for the flavor of the card I have (Delta skymiles).

There is also a little retraining of both customers and clerks. EMV transactions work a little differently - you don't just swipe the card through. You stick the card in the machine, and it needs to stay there for 10-15 seconds until the transaction is complete.

As tempting as it is to advocate EMV cards, I would say that it is necessary but not sufficient. Clearly there are other problems at some of these merchants which allow the bad guys to get in. Using EMV might make it impossible for the crooks to get credit card info from your point of sale terminals, but if the bad guys are in your network they will look for something else that they can monetize. I would say that in *addition* to EMV, that additional measures need to become both routine and required to ensure that unauthorized people cannot gain access to the network. Two-factor authentication comes to mind as one thing that should be mandatory, but I think there were other flaws at Target which contributed to the mess there. They haven't been very forthcoming about what really went on, so we can only sort of guess what types of flaws enabled this attack to happen.

I should add that EMV cards are ISO 7816 compliant, meaning that the contact patterns and electrical specs on the credit cards match the specs on a smartcard that can be used for Windows logon. I stuck my credit card in the smartcard slot on my laptop and was able to read off some amount of the data that is stored there in the EMV chip.
Eric

43 Posts
Oddly enough, everyone here is more concerned about a card that one chooses to get, instead of the one we must get. Look how much "security" your "paper card" with 9 digits has on it. Start there and all the other children will fall into place.

Quote:I should add that EMV cards are ISO 7816 compliant, meaning that the contact patterns and electrical specs on the credit cards match the specs on a smartcard that can be used for Windows logon. I stuck my credit card in the smartcard slot on my laptop and was able to read off some amount of the data that is stored there in the EMV chip.


Exactly!!! For those that have actually worked with ISO 7816 technology, it is not a "utopian" solution. Move to RFID or laser scanning.. Have not heard of many "3D" postage stamps being hijacked.
ICI2I

63 Posts
I have a chip and signature card, and every time a merchant has a terminal with an appropriate slot, I try to use it. So far, it has not worked once because the cashier doesn't understand or the cash register software doesn't support it. At the grocery store, I was told to just swipe it because "that slot's for WIC." I suspect the level of WIC fraud in Texas is much, much lower than the incidence of credit card fraud. At Office Depot, they want the card ID for my Amex, but their register doesn't support chip and signature (although the terminals do have the slot).

I suspect that the biggest part of the issue will not be replacing the terminals, but replacing the POS software and retraining the employees.
ICI2I
1 Posts
From above: "however smart-chips that use mechanical contacts to pull the data have a greater failure rate."

Um, not so. We've been using Chip and PIN credit cards in Canada for at least half a dozen years now.

I use my credit card at least 100 times a month, and I've yet to have had any failure in reading the chip. (No, I refuse to use the RFID feature of the card - so I can have verifiable deniability.) The gold plating is a little worn/polished, but no worse than the plastic surface of the card. Bonus: you're not leaving valid sample of your signature everywhere.

Really, I'm astonished that you'all in the 'States aren't already using this.
ThaumaTechnician

2 Posts
Quoting Anonymous:I suspect that the biggest part of the issue will not be replacing the terminals, but replacing the POS software and retraining the employees.


This supports my earlier post. Symbol/Motorola/Lenovo? has a majority of the WMS and POS market in the US. If they wanted to do something quicker, move to a 3d barcode scan like the US Post Office has, then move to RFID, bypassing the ISO chip. Both 3d laser scanning and RFID rank up there for security. Look at Military ID's, Passports, DL's, ALL have 3d barcode optical scanning,
ICI2I

63 Posts
My chip card is not always readable in certain machines, such as the Verifone unit. I also found that many of the machines are slow in responding when the card is inserted. This definitely slows down the cashing out procedure at registers. Is the "tap and go" method (Mastercard) any quicker?
Glenn

17 Posts
@NoName: please stop claiming RFID is safe, it is not!
And as said by ThaumaTechnician, chip and pin don't fail anymore than other technologies... they even fail much less than the old technology only used in the US.
Anonymous
Quote:The gold plating is a little worn/polished, but no worse than the plastic surface of the card. Bonus: you're not leaving valid sample of your signature everywhere.


Who is foolish enough to "leave their signature" @ any POS?! but I digress. My signature is on-file with CC company, yours? But then again, I might be wrong after all we know how companies like CGI Federal understand the complexity of security. Ding! Fries are done!
ICI2Eye

52 Posts
Barcodes can be trivially cloned. Passive forms of RFID can be cloned as well. Tap-and-go cards scare the bejebus out of me.

EMV is far far harder to clone. That's the whole point of it.
Eric

43 Posts
Quoting Ben T:
In October 2015, Visa has a liability shift scheduled--if a fraud could have been prevented by EMV, then the merchant is liable. The biggest expense to migrate is borne by merchants--those little EMV terminals are not cheap and there has been a lot of pushback on that date.


The Target CFO claims that they are going to try and support EMV by January 2015, and they plan to be issuing EMV cards by the end of 2014. Yes, clearly they have gotten religion, and they are trying to close the barn door after the horse is out. But I suspect that other retailers are watching this and saying to themselves "There but for the grace of God go I", so we may find other retailers working to accelerate plans to upgrade.

http://www.eweek.com/security/target-tells-senate-its-speeding-up-plans-to-accept-emv-credit-cards.html

I should add that the liability shift for pay-at-the-pump is Oct 2017.
Eric

43 Posts
Quote:Barcodes can be trivially cloned. Passive forms of RFID can be cloned as well. Tap-and-go cards scare the bejebus out of me.

EMV is far far harder to clone. That's the whole point of it.


Eric, lets back into this.. I did not say "barcode as in 2D" ie.. has left and right fields with lines, I said 3D barcoding a whole different level of security. It, along with other measures RFID are deployed in all levels of Gov, States. (Check your ID, passport) Destroy it, you will not authenticate.

Oddly enough I came across this article, look at the date.

http://www.lowcards.com/credit-cards-rfid-13517

If you are still concerned about security, try looking for a card that does not have RFID technology. You may have to spend a few extra seconds swiping it at the register, but that will be worth the peace of mind. (Wonder where he is after the Target breach? )

Fact is this, I have been working with ISO7816 since the 90's and have actually dumped data from a CC card I shut down. For those that do not understand, this IS the standard and easily chunked down to decipher. https://en.wikipedia.org/wiki/Smart_card

Few of the individuals are stuck on RFID as in little tags, shows the ignorance towards this technology. The chip in the AX card and others is a smart-chip with an antenna to transmit the encrypted data, you now have what? RFID. Take a look at the 4th picture down on right.

https://en.wikipedia.org/wiki/File:Australia_Bank_Paypass_Card.png

I made a laser pointed reference to the most important security firewall that goes UNnoticed. For Americans it is the Social Security Card, still a piece of UNsecured paper with 9 digits on it you will carry to your grave.

It defines us, period, job applications, credit card applications, utilities et all. Secure that, cut off the head of the serpent.

Now, though this thread is about CC smartcard and pins, (Which RFID is a smartchip) until then I suggest the following, which I have done.

1. Passphrase your CC at time of getting one. Leave the mothers-maiden name blank and call in the CS rep when you get the card. Make sure each passphrase is unique to each card, do the same with utility, phone ect.

Each service I have is passphrased. This prevents someone from changing your accounts. If compromised it came from inside.

2. Of course PIN protect, but how many digits can a person remember? Standard is 4, how long do you think that takes to break apart?

3. FREEZE your credit.


Quote:http://www.eweek.com/security/target-tells-senate-its-speeding-up-plans-to-accept-emv-credit-cards.html


"There were exceptions. Michael Kingston, CIO for Neiman Marcus declined to say that his company would actively move to EMV technology,

Sadly, Needless Markup aka Neiman Marcus will only do if they (like others) are forced. How many did they lose to the breach?
ICI2Eye

52 Posts
While switching to Chip and Pin, or RFID and Pin, or 3D Barcode and Brainscan is all fine for limiting fraud at Brick and Mortar stores, I fail to see how it's going to help No Card Present (NCP) transactions. If anything the fraud is simply going to move online. Have I missed something here? Without a way to validate the card and it's possessor online I don't think this is going to be good news for Internet merchants. How about we talk multifactor authentication using a smart device instead?
Cyberis

2 Posts
Quoting ICI2Eye:
I said 3D barcoding a whole different level of security.


My point is that anything passive can be easily copied.

You advocate for RIFID, and then you say this:

Quote:
Oddly enough I came across this article, look at the date.

http://www.lowcards.com/credit-cards-rfid-13517



And if you follow the link, it tells you about how people can steal your credit card information simply by brushing up against you in a crowded area. There are many such links describing the technique. Here's another:

http://www.clickorlando.com/news/ucf-graduate-says-invention-will-stop-rfid-credit-card-thieves/-/1637132/24182942/-/8o89htz/-/index.html

Or even this, where someone (with permission) copies credit card information to a hotel room key and uses it as if it were a credit card:

https://www.youtube.com/watch?v=lLAFhTjsQHw

The only defense is to encase your credit cards in some sort of shielded container to prevent the RF signals from activating the card. It what way is this an improvement?

The way I see it, the rest of the world has already standardized on EMV, and it is already getting to be a pain for tourists from the U.S. when traveling abroad if they don't have an EMV credit card. I don't see the point in inventing a whole new and incompatible standard when there is already one out there in the field which has been demonstrated to work.
Eric

43 Posts
Quoting ICI2Eye:
2. Of course PIN protect, but how many digits can a person remember? Standard is 4, how long do you think that takes to break apart?

Why do you continue with your non-sense? How can you bruteforce a PIN code when at the 3rd error the card is locked? You have to be very lucky to find a PIN in 3 tries.

You clearly show that you have never used a PIN+code credit card.
And nobody is using just RFID for highly secure access.
Eric
1 Posts

Sign Up for Free or Log In to start participating in the conversation!