Top

Published in:

2014 | OriginalPaper | Chapter

13. Analysis of Potential Vulnerabilities in Payment Terminals

Authors : Konstantinos Rantos, Konstantinos Markantonakis

Published in: Secure Smart Embedded Devices, Platforms and Applications

Publisher: Springer New York

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Payment systems fraud is considered in the center of several types of criminal activities. The introduction of robust payment standards, practices and procedures has undoubtedly reduced criminals’ profit, and significantly hardened their work. Still though, all payment systems’ components are constantly scrutinised to identify vulnerabilities. This chapter focuses on the security of payment terminals, as a critical component in a payment system’s infrastructure, providing an understanding on potential attacks identified in the literature. The attacks are not only limited to those aiming to insult terminals’ tamper-resistance characteristics but also include those that target weak procedures and practices aiming to facilitate the design of better systems, solutions and deployments.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Automotive Embedded Systems Applications and Platform Embedded Security Requirements

next chapter Wireless Sensor Nodes

Figures reveal that payment card fraud is one of the most profitable attacks for fraudsters and costly for the card payments industry to defeat. In the U.S. alone, card fraud costs the card payments industry an estimated US$8.6 billion per year [1].

Chip and PIN (http://www.chipandpin.co.uk) is the UK’s flavour of EMV introduced in 2004 and fully rolled-out in February 2006.

Listed in alphabetical order: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.

http://news.bbc.co.uk/2/hi/uk_news/england/4980190.stm

http://www.theregister.co.uk/2007/02/06/card_security_attack/

http://www.theregister.co.uk/2008/08/13/pin_security_analysis/page2.html

http://www.telegraph.co.uk/news/uknews/law-and-order/3173346/Chip-and-pin-scam-has-netted-millions-from-British-shoppers.html

Aka card verification value (CVV or CVV2), card validation code (CVC or CVC2) or Value, or Card Security Code

As Professor Chris Mitchell points in his Lecture Slides (Available: http://www.isg.rhul.ac.uk/cjm/IY5601/IY5601_B_060205_83-156.pdf) CDA, if appropriately used, makes EMV robust against wedge attacks.

Details were given by the US National Counterintelligence Executive, Dr Joel Brenner in a Daily Telegraph interview, http://www.telegraph.co.uk/news/uknews/law-and-order/3173346/Chip-and-pin-scam-has-netted-millions-from-British-shoppers.html.

Johnston et al. [21] demonstrated that bypassing tamper-indicating security, aka security seals, can sometimes be quite trivial.

http://www.theregister.co.uk/2008/08/06/id_fraud_hacking_case/

http://www.theregister.co.uk/2009/08/17/heartland_payment_suspect/

Skimming devices are even sold on Internet forums for about 8,000€.

According to [23], at the end of 2011, more than 134 million UK cards had unique iCVV.

http://www.wired.com/threatlevel/2009/04/pins/

http://www.google.com/hostednews/afp/article/ALeqM5isP_cJaxnqSGaPVgUy0P3tSvpqrA

http://www.spiegel.de/wirtschaft/soziales/0,1518,670433,00.html

http://www.lightbluetouchpaper.org/2009/08/25/defending-against-wedge-attacks/

The attack is only successful with SDA cards used off-line and not with DDA or CDA cards, or on-line transactions as the fraudster cannot have access to the keys necessary for card data authentication.

According to http://www.dailymail.co.uk/news/article-389084/Millions-danger-chip-pin-fraudsters.html: “Of the 6.2billion transactions on a credit, debit or charge card carried out every year in this country, one in five happens ‘off-line’, meaning the chip and pin terminal does not connect to the cardholder’s bank.”

From 1st January 2011 schemes mandated that all new and replacement cards support DDA. At the end of 2011, 98 million DDA cards were in issue in the UK [23].

Aite Group: Card Fraud in the United States: The Case for Encryption. January 2010. Available: http://www.aitegroup.com

ENISA, ATM crime: Overview of the European situation and golden rules on how to avoid it. August 2009. Available: www.enisa.europa.eu

EMVCo. A Guide to EMV. Version 1.0. May 2011. http://www.emvco.com

PCI, SSC Wireless Special Interest Group Implementation Team - Information Supplement: PCI DSS Wireless Guideline. Available: https://www.pcisecuritystandards.org/pdfs/PCI_DSS_Wireless_Guidelines.pdf

Payment card Industry (PCI) Data Security Standard: Requirements and Security Assessment Procedures. Version 2.0. October 2010. Available: https://www.pcisecuritystandards.org

PCI, SSC: PCI Data Storage Do’s and Dont’s. Available: https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf

PCI Encrypting PIN Pad (EPP) - Security Requirements, v2.1. January 2009. Available: https://www.pcisecuritystandards.org/documents/epp_security_requirements.pdf

Payment Card Industry (PCI) Point-to-Point Encryption. September 2011, Available: https://www.pcisecuritystandards.org

Murdoch, S. J., Drimer, S., Anderson, R., and Bond, M.: Chip and PIN is Broken. IEEE Symposium on Security and Privacy (2010) pp 433–444.

10.

Anderson, R., Bond, M., and Murdoch, S. J.: Chip and SPIN. Computer Security Journal v 22 no 2 (2006) pp 1–6.

11.

Desmedt, Y., Goutier, C., and Bengio, S. Special uses and abuses of the Fiat-Shamir passport protocol. In Advances in Cryptology CRYPTO 87: Proceedings (1987), vol. 293 of LNCS, Springer, p. 21.

12.

Murdoch, S.J., EMV flaws and fixes: vulnerabilities in smart card payment systems. Available: http://www.cl.cam.ac.uk/sjm217/talks/leuven07emv.pdf

13.

Everett D. Chip and PIN Security. Available: http://www.smartcard.co.uk/Chip and PIN Security.pdf

14.

EMV Iintegrated Circuit Card Specifications for Payment Systems - Book 2: Security and Key Management. Available: https://www.emvco.com

15.

EMV Iintegrated Circuit Card Specifications for Payment Systems - Book 3: Application Specification. Available: https://www.emvco.com

16.

Murdoch, S. J., Drimer, S., Anderson, R., and Bond, M.: EMV PIN verification "wedge" vulnerability, February 2010. Available: http://www.cl.cam.ac.uk/research/security/banking/nopin/

17.

Drimer, S., and Murdoch, S. J.: Keep your enemies close: Distance bounding against smartcard relay attacks. In USENIX Security Symposium, August 2007. Available: http://www.usenix.org/events/sec07/tech/drimer/drimer.pdf

18.

Centenaro, M., Focardi, R., Luccio, F., Steel, G.: Type-based analysis of PIN processing APIs. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 5368. Springer, Heidelberg (2009).

19.

The UKCARDS Association: Security guidance for card acceptance devices - Deployed in the face-to-face environment.

20.

EMV Integrated Circuit Card Specifications for Payment Systems: Book 4 - Cardholder, Attendant, and Acquirer Interface Requirements, June 2008. Available: www.emvco.com.

21.

Johnston, R. G., Garcia, A. R., and Pacheco, A. N.: Efficacy of tamper-indicating devices. Journal of Homeland Security (April 2002).

22.

Mowery, K., Meiklejohn, S., Savage, S.: Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks. In 5th USENIX Workshop on Offensive Technologies, August 2011. Available: http://www.usenix.org/events/woot11/tech/final_files/Mowery.pdf

23.

Financial Fraud Action UK: Fraud - The Facts 2012. Available: http://www.financialfraudaction.org.uk

24.

SPVA Lifecycle of a Secure Payment Device: Post Manufacturing Stage, June 2011, Available: www.spva.org.

25.

Mastercard, Understanding Terminal Manipulation at the Point of Sale. Available: http://www.mastercard.com/us/company/en/docs/Terminal_Manipulation_At_POS.pdf

26.

Visa Best Practices for Primary Account Number Storage and Truncation. Available: http://usa.visa.com/download/merchants/PAN_truncation_best_practices.pdf

27.

European Association of Payment Service Providers for Merchants. Point-to-Point Encryption and Terminal Requirements in Europe. May 2011. Available: http://www.epsm.eu

28.

VISA, Guide to Data Field Encryption. Available: http://www.visacemea.com/ac/ais/uploads/AIS_Guide_0610_Data_Field_Encryption.pdf

29.

Mastercard Worldwide, An Analysis of End-to-end Encryption as a Viable Solution for Securing Payment Card Data. Available: http://www.mastercardacquirernews.com/pdfs/encryptionAnalysis.PDF

30.

Visa Best Practices for Tokenization Version 1.0. Available: http://usa.visa.com/download/merchants/tokenization_best_practices.pdf

31.

CISP Bulletin, Top three POS system vulnerabilities identified to promote data security awareness. November 2006. Available: http://usa.visa.com/download/merchants/top_three_pos_system_vulnerabilities_112106.pdf

32.

Bond, M., Cvrcek, D., and Murdoch S.J.: Unwrapping the Chrysalis, In: Technical report, No. 592, 2004, Cambridge, GB, p. 15, ISSN 1476–2986.

Title: Analysis of Potential Vulnerabilities in Payment Terminals
Authors: Konstantinos Rantos
Konstantinos Markantonakis
Publisher: Springer New York
Book: Secure Smart Embedded Devices, Platforms and Applications
Print ISBN: 978-1-4614-7914-7

Electronic ISBN: 978-1-4614-7915-4

Copyright Year: 2014
DOI: https://doi.org/10.1007/978-1-4614-7915-4_13

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner