Professional Documents
Culture Documents
SysLems lall
8oss Anderson
Cambrldge
8lack PaL 2014
1he LMv proLocol sulLe
named for Luropay-MasLerCard-vlsa, also
known as 'chlp and ln'
ueveloped laLe 1990s, deployed ln uk Len
years ago (2003-3, mandaLory 2006)
Lurope, Canada followed
AbouL Lo be deployed ln Lhe uSA (by 2013)
lasclnaung sLory of fallures and frauds
Many lessons for securlLy englneers!
8lack PaL 2014
ConcepL of operauons
Make forgery harder by replaclng Lhe mag
sLrlp wlLh a chlp, whlch auLhenucaLes card
Make auLhenucauon of cardholder sLronger
by replaclng Lhe slgnaLure wlLh a ln
keep verlfylng lns onllne aL A1Ms, buL verlfy
on Lhe chlp aL merchanL Lermlnals
Lncourage deploymenL by maklng Lhe
merchanL llable lf ln noL used ('llablllLy shl')
8lack PaL 2014
8lack PaL 2014
lraud hlsLory, uk
Cardholder llable lf
ln used
Llse merchanL pays
8anks hoped fraud
would go down
lL wenL up .
1hen down, Lhen up
agaln
L
o
s
s
e
s
(
m
)
Year
2004 2005 2006 2007 2008 2009 2010 2011 2012
Total, ex phone (m) 503 491.2 591.4 704.3 529.6 441 410.6 462.7
0
5
0
1
0
0
1
5
0
2
0
0
2
5
0
3
0
0
!
!
!
!
!
!
!
!
!
!
! !
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
! !
!
!
! !
!
!
!
!
!
! !
! !
! ! !
!
!
!
!
!
!
!
!
!
!
!
!
!
! !
! !
! !
!
!
Card!not!present
Counterfeit
Lost and stolen
ID theft
Mail non!receipt
Online banking
Cheque fraud
Chip & PIN deployment period
Phone banking
LMv shled Lhe landscape.
Llke bulldozlng a oodplaln, lL caused Lhe
fraud Lo nd new channels
Card-noL-presenL fraud shoL up rapldly
CounLerfelL Look a couple of years, Lhen Look
o once Lhe crooks reallsed:
lLs easler Lo sLeal card and pln deLalls once plns
are used everywhere
?ou can sull use mag-sLrlp fallback overseas
1amper-reslsLance doesnL work
8lack PaL 2014
Auack Lhe crypLo
LMv broke all Lhe crypLographlc hardware
securlLy modules ln Lhe world!
A Lransacuon specled by vlSA Lo send an
encrypLed key Lo a smarLcard leaked keys
lnsLead
See '8obblng Lhe bank wlLh a Lheorem
prover', aul ?oun, 8en Adlda, Mlke 8ond,
!olyon Clulow, !onaLhan Perzog, Amerson Lln,
8onald L 8lvesL, 8oss Anderson, SW 2007
8en now works for Square, !ol for ueuLsche.
8lack PaL 2014
Auack Lhe opumlsauons
Cheap cards are
SuA (no publlc key
capablllLy, so sLauc
cerucaLe)
A 'yes card' can
lmpersonaLe ln an
oMlne Lermlnal
lalrly easy Lo do,
buL noL seen much
8lack PaL 2014
WhaL abouL a false Lermlnal?
8eplace a Lermlnal's
lnsldes wlLh your own
elecLronlcs
CapLure cards and lns
from vlcums
use Lhem Lo do a man-
ln-Lhe-mlddle auack ln
real ume on a remoLe
Lermlnal ln a merchanL
selllng expenslve goods
8lack PaL 2014
1he relay auack (2007)
PN
$2000 $20
PN
attackers can be on opposte
sdes of the word
Dave
Carol
Alice
Bob
$
8lack PaL 2014
Auacks ln Lhe real world
1he relay auack ls almosL unsLoppable, and
we showed lL ln 1v ln lebruary 2007
8uL lL seems never Lo have happened!
So far, mag-sLrlp fallback fraud has been easy
Lus Lampered aL Shell garages by servlce
englneers' (Lu suppller was blamed)
1hen1amll 1lgers
Aer fraud aL 8 ClrLon: we lnvesugaLe
8lack PaL 2014
1amper-proong of Lhe Lu
ln LMv, ln senL from ln
LnLry uevlce (Lu) Lo card
Card daLa ow Lhe oLher way
Lu supposed Lo be Lamper
reslsLanL accordlng Lo vlSA,
AACS (uk banks), Cl
'LvaluaLed under Common
CrlLerla'
Should cosL $23,000 per Lu
Lo defeaL
8lack PaL 2014
1amper swlLches (lngenlco l3300)
8lack PaL 2014
. and Lamper meshes Loo
8lack PaL 2014
1v demo: leb 26 2008
Lus evaluaLed under
Lhe Common CrlLerla
were Lrlvlal Lo Lap
Acqulrers, lssuers have
dlerenL lncenuves
CCPC wouldnL defend
Lhe CC brand
AACS sald (leb 08) lL
wasnL a problem.
khan case (!uly 2008)
8lack PaL 2014
1he no-ln auack
Pow could crooks use a
sLolen card wlLhouL
knowlng Lhe ln?
We found: lnserL a
devlce beLween card &
Lermlnal
Card Lhlnks: slgnaLure,
Lermlnal Lhlnks: pln
1v: leb 11 2010
8lack PaL 2014
A normal LMv Lransacuon
1. Card details; digital signature
!!!
"#$
transaction;
cryptogram
result
!
5. Online transaction authorization (optional)
card
merchant
2. PIN entered by customer
3. PIN entered by customer;
transaction description
4. PIN OK (yes/no);
authorization cryptogram
customer
issuer
8lack PaL 2014
A no-ln Lransacuon
8lack PaL 2014
8locklng Lhe no-ln auack
ln Lheory: mlghL block aL Lermlnal, acqulrer, lssuer
ln pracuce: may have Lo be Lhe lssuer (as wlLh
Lermlnal Lamperlng, acqulrer lncenuves are poor)
8arclays blocked lL !uly 2010 unul uec 2010
8eal problem: LMv spec vasLly Loo complex
WlLh 100+ vendors, 20,000 banks, mllllons of
merchanLs . a Lragedy of Lhe commons!
LaLer bank reacuon: wroLe Lo unlverslLy 8
deparLmenL asklng for Cmar Chaudary's Lhesls Lo be
Laken down from Lhe webslLe
CurrenLly only PS8C seems Lo block lL ln Lhe uk!
8lack PaL 2014
Card AuLhenucauon roLocol
LeLs banks use LMv ln
onllne banklng
users compuLe codes for
access, auLhorlsauon
A good deslgn would Lake
ln and challenge / daLa,
encrypL Lo geL response
8uL Lhe uk one rsL Lells
you lf Lhe ln ls correcL
1hls puLs your personal
safeLy aL rlsk .
8lack PaL 2014
Crlme vlcums LorLured for lns
8lack PaL 2014
hlshlng auacks?
8lack PaL 2014
Less susplclous Lhan Lhls .
8lack PaL 2014
CA auacks Lhrough wlcked shops