Alleged EMV Flaw Stirs DebateLingering Mag-Stripe Opens Doors for New Types of Attacks
Did security researchers at financial solutions provider NCR unveil a security flaw with EMV - one that could allow hackers to steal card data from EMV chips and clone it on magnetic stripes?
At the recent Black Hat USA conference in Las Vegas, point-of-sale security researchers at NCR (which sells, among other things, POS terminals, software and encryption solutions) reportedly demonstrated how fraudsters could fool POS terminals into thinking chip cards are actually chipless by altering mag-stripe data contained on those cards.
This is not an attack on EMV technology; it's an attack on the magnetic stripe.
In a report about the alleged security flaw, CNN Money notes that NCR findings uncover a "glaring hole" in EMV, namely because when upgrading POS systems to accept EMV cards, retailers also need to deploy end-to-end encryption - which would render stolen card data useless.
But some security and payments experts balk at the research, saying the demo only proves what we already knew - that mag-stripe data remains vulnerable to attack, even if it exists on an EMV card. What's more, they argue that the demo's findings are self-serving and misleading, since end-to-end encryption, which demo researchers recommend as a solution, is a service NCR sells.
End-to-end encryption, experts say, would not prevent cloned mag-stripe data from being accepted at a POS device, though it could prevent card data from being compromised in transit, thus preventing mag-stripe data from being stolen in the first place.
That, however, would not prevent the type of attack demoed at Black Hat, says financial fraud expert and Gartner analyst Avivah Litan.
Fooling the System, Not Breaking the Tech
"Stealing the data is a different issue," she says. "The issue that's being talked about here is similar to what we saw in Brazil, when criminals stole mag-stripe cards and pushed them through as EMV transactions."
The vulnerability demoed by NCR basically hinges on the same concept, Litan adds. "It's a bit of a different twist, but along the same lines," she says. "The common theme here is that the criminals know the codes on the cards and in the POS systems, and they know how to manipulate them."
It's a huge problem - but not one that is new, Litan says.
"I heard about this a few months ago from the card companies," she says. "It's not really a technology flaw - it's a flaw in the technology process. In other words, there is a code on the mag-stripe that tells the card reader if the card is a chip or mag-stripe card. If the criminals change that mag-stripe's value on a chip card to say it's a mag-stripe card, they can use a counterfeit card, and the chip security features are not used."
Among issuers, this type of fraud is known as "fall-back" fraud, and it seems to be a growing problem.
In addition to Litan, I first heard about "fall-back" more than a month ago, when a respected banking leader told me about a new type of POS attack that was pushing fraud back on to issuers. He asked not to go on the record just yet, as more details about how the fraudulent transactions are actually fooling the POS are still being uncovered.
Based on what I know so far, this is the attack in a nutshell: Attackers are using counterfeit mag-stripe cards for accounts that the bank has already transitioned to EMV. The fraud "falls back" to the issuer, because the retailer says a mag-stripe was presented. See where the confusion comes in?
How Are Hackers Getting the Numbers?
In spite of EMV, what's likely perpetrating so-called fall-back fraud is the number of debit and credit cards that were breached before EMV was widely deployed. Fraudsters have all of these numbers and are still using them.
Use me as an example: Even though my bank has issued a chip card for me, the account number is the same as my old mag-stripe card. If my card was compromised at some point in the past, before I was issued an EMV card, then it's possible that fraudsters could create a cloned mag-stripe card with that old card data.
And even though today my account is associated with a chip, if a cloned account is presented at the POS, the system won't recognize a chip and will push the payment through as a mag-stripe transaction.
"The banks are getting hit with the fraud and blaming the retailers for not accepting those cards as chip cards," Litan says. "And the retailers have been telling the banks that the card was presented as a mag-stripe card."
The researchers who gave the demo at Black Hat could not be reached for comment.
Randy Vanderhoof, executive director of the EMV Migration Forum, a cross-industry body focused on supporting EMV chip implementation technology and processes in the U.S., says the fall-back fraud issue could be a legitimate one for banks. But the issue is not linked to a vulnerability in EMV.
"This is not an attack on EMV technology; it's an attack on the magnetic stripe," he says. "If the data on the magnetic stripe is altered, it might fool the terminal, but when the authorization request gets to the issuer, they can recognize it was altered because they know what information should be on the magnetic stripe, and will, therefore, reject the transaction. These kinds of risks with magnetic stripe cloning or altering is exactly the kind of problem that EMV is best at preventing."
The problem, as Litan points out, is that when the request gets to the issuer, there is a discrepancy. If fraudsters are successfully manipulating the code on the mag-stripe to fool the POS into thinking the card is a mag-stripe, not a chip, then what can be done to detect this kind of manipulation?
Should the card brands address this concern, or should it fall upon EMVCo, the global body that manages specifications and testing processes for the Europay, MasterCard, Visa standard?
In an Aug. 5 statement, EMVCo notes that the simulated attack that was demoed at Black Hat would be "extremely difficult and risky to deploy in the real world and is not practically scalable. Even if such an attack were to occur, when the full payment process is taken into account, various countermeasures are available to mitigate against this type of attack."
EMVCo goes on to say that this type of attack is waged against the mag-stripe, not the chip. "It is EMVCo's view that when the full payment process is taken into account, suitable protection exists to mitigate against this type of attack, such as ensuring that information read from a chip card is not sufficient to create a valid mag-stripe card," EMVCo states.
But what do you think? I've heard from others, beyond Litan, that this type of scheme is being perpetrated with success in the real-world. Do you think EMVCo and the card brands need to do more?