Cardholder verification method
Fraudulent transactions on counterfeit microprocessor cards are carried out using a magnetic stripe or using its details (MO / TO, Internet). Due to the fact that fraudulent transactions are performed using a magnetic stripe, the cardholder verification method defined by the issuer in the Cardholder verification method Type does not matter. Verification of the holder takes place according to service code – 201 (IPC, normal authorization, normal verification). It turns out that the reduction of fraud on counterfeit cards with IPC is not due to the introduction of trade and service enterprises (hereinafter – TSP) PIN, and due to the use of a chip. If, when servicing the IPC by chip, the verification of the holder is carried out by signature, then fraud on counterfeit cards will not increase relative to PIN verification. In order to ensure the impact of the PIN code on the reduction of fraud on counterfeit cards, it is necessary to enter a PIN code in the TSP during operations and with a magnetic stripe, which is not currently available (except for Maestro cards). If you try to pay in the TSP with a stolen or lost card with a microprocessor using the CHIP and PIN technology, if the terminal supports the CHIP, you must enter the PIN. Since the fraudster does not know him, it is impossible to carry out the operation (unless the microprocessor is taken out of operation and then a fallback operation is performed). Consequently, fraud on lost cards with IPC is reduced at the expense of the PIN, but until the issuer’s holder notifies of the loss, the responsibility for such operations (according to card service agreements) lies with the client. Possible losses of the issuer are only offline transactions made after the client notifies about the loss of the card. Thus, if we abandon the CHIP and PIN technology, the losses of banks on counterfeit and lost cards will not increase, and ATM fraud will decrease.
It seems that the “CHIP and PIN” program for the transition period for combined cards is a strategic mistake. When servicing combined cards in retail establishments, it is necessary to leave the method of verification of the holder by signature, previously used on cards with a magnetic stripe. For issuing banks, this will not lead to an increase in losses, since when conducting a fraudulent operation on the magnetic stripe of the IPC, it does not matter at all how the verification of the holder was programmed on the microprocessor, as a result of the use of lost cards by fraudsters, the losses of issuers will be small, since the responsibility for such operations until the notification lies with the client. Losses on offline operations can be reduced by adjusting the security parameters of the microprocessor.
When performing IPC operations, a PIN code is entered into the TSP. This entails:
* increase in PIN code entry points (the number of POS terminals is many times higher than ATM);
* the installation locations of POS terminals differ from the ATM installation locations (when entering the PIN code, there is a cashier and other customers next to the holder — there is no security zone);
* POS terminal is a less secure device compared to ATM;
* POS terminal is less controlled by the acquirer than ATM (disconnection from processing, modernization, substitution, etc.).
Negative consequences of the “CHIP and PIN” program:
* increasing the number of PIN code compromises due to the emergence of new potential points (TSPS);
* increased losses due to ATM fraud. Losses on the compromised card in ATM are greater than in TSP;
* unwillingness of banks to counteract fraudulent transactions in ATM. If banks have already learned how to deal with fraud in trade enterprises (up to the termination of contractual relations and a statement to law enforcement agencies about the initiation of a criminal case), then if the acquiring bank has operations on fake cards in its ATMs, it is not entirely clear what to do (no one will turn off the ATM);
* compromise of the PIN code as an analogue of a handwritten signature, as a result – fraud on the part of legitimate holders. This type of fraud casts doubt on the PIN code itself as an analogue of the holder’s handwritten signature, and therefore on the legitimacy of transactions, including legitimate holders confirmed by the PIN code. The negative consequences of this discrediting of the PIN code for issuing banks will be very painful;
* there are new attacks at the terminal level (fraudulent PIN PAD).
All of the above finds its practical confirmation.
May 2006 SHELL company in the UK stopped using “chip and pin” technology at non-refueling terminals for accepting payment cards after fraudsters stole more than 1 million rubles. Six hundred terminals were modified by fraudsters in order to unauthorized copying of 2 tracks of the magnetic stripe and PIN code and fake cards were used in non-chip ATMs.
July 2006 Lloyds-TSB Bank announced an increased level of IPC fraud from ATMs in other countries.
August 2006, Montreal. Modernization of trading terminals in order to copy the magnetic stripe and PIN (18 thousand cards).
August 2006 Copenhagen. In the bookstore, the holders copied the magnetic stripe and PIN code (509 cards in 3 days). Then funds were withdrawn from ATMs.
twothousandseven Notification from MasterCard (Ref Number: 200702_001) about attacks in Austria, Germany, Switzerland, Sweden, expressed in the replacement of genuine terminals with false ones with the function of intercepting PIN codes.
Let’s take a closer look at the threats that appear using the “CHIP and PIN” technology.
• “Peeping over the shoulder.” A fraudster can find out the personal code of a bank card holder by peeping over his shoulder while he enters his code, performing operations in the TSP. In this case, the magnetic stripe can be secretly copied or the card is stolen later. This threat also exists in ATMs, but its level is significantly lower. With proper installation of ATMs, they have a so-called security zone, a space that separates the cardholder using the ATM from the rest of the people in the queue. It is impossible to create such a zone in a commercial enterprise, in addition, there is a cashier next to the holder, who can also see the PIN code being entered.
* Substitution of a cryptographic key. The TMK cryptographic key known to the attacker (terminal master key) is loaded into the trading terminal (pin pad). After that, the interception of the second tracks and PIN blocks is carried out (transactions with online verification of the PIN code will not take place (the wrong PIN code), but the fraudster intercepts the information he needs). As a result, the fraudster receives the second tracks of cards and PIN blocks encrypted with a cryptographic key known to him. Next, a “white plastic” is made and the money is withdrawn in a real ATM. If an offline verification of a clean PIN code is implemented in the trading terminal, and the terminal with the pin pad are different physical devices (connected by a connecting wire), then it is possible to replace the cryptographic key on which the pin block is encrypted when transferring from the pin pad to the terminal. If this PIN block is intercepted, then it is very easy to get the value of the PIN code. At the same time, the trading terminal will work normally, and the acquirer will not know about the key substitution. Checking the encrypted PIN will not solve the problem. Since the PIN block encryption key is known (the public key of the card) and a full brute force attack is possible (10,000 variants).
* Fraud on the part of TSP personnel.
Before the “CHIP and PIN” technology, an unscrupulous employee of a trading company could only copy the magnetic stripe of the card (skimming). Now he gets the opportunity to additionally learn the PIN code both by ordinary peeping at its input, and using technical means (for example, video cameras). As a result, the effectiveness of fraudsters’ activities increases and banks’ losses grow. Since, having stolen only information from the magnetic stripe of the card, it is necessary to make a fake card, which requires certain costs. Next, you need to come to the store with such a card and make a purchase. The fraudster does not know the balance available on the card, there is always a risk that the staff of the outlet will determine the counterfeit of the card and the attacker will be detained by law enforcement agencies. In the case of copying the second track of the card strip and obtaining a PIN code, the costs of making “white plastic” are minimal. Using such a card at an ATM entails a significantly lower risk of being detained compared to a trading company and it is possible to withdraw all funds available on the card account.
The vulnerabilities of the EMV standard should include, firstly, the easy availability of the PIN code (given that the magnetic stripe remains on smart cards, it is possible to conduct non-chip operations on them, which increases the risk of compromising the cards). Secondly, EMV assumes authentication of the card and the issuer, but does not provide authentication of the authenticity of the terminal, and therefore attacks on the terminal itself will increase – from simple substitution to modernization. Which is already confirmed by the data. So, researchers at the University of Cambridge on January 5, 2007 they reprogrammed the “CHIP and PIN” terminal, turning it into a game console for playing Tetris.
There are new attacks at the terminal level (a kind of fraudulent PIN pad) – a broadcast attack. This type of attack allows an attacker using relatively inexpensive equipment (when implementing the cost of components amounted to $ 442) to intercept and broadcast all traffic between a genuine IPC card and a genuine trading terminal. At the same time, the genuine card and the terminal are geographically located at different points and interact through a fake terminal and a card, respectively, which have a remote connection with each other.
In order to reduce losses from ATM fraud due to the compromise of the PIN code in commercial enterprises, it is necessary to use the verification of the holder by chip-and-signature (CHIP and signature) to verify (verify) the holder. To increase the overall level of security with a PIN code, compliance with PCI DSS requirements and strengthening cryptographic security are required — switching from the DES cryptographic algorithm to 3DES with double-length keys; stream encryption, creation of VPN tunnels when connecting terminal devices to processing centers; use of the MAC function on all terminal devices; implementation of the technology of remote loading of terminal master keys (Remote Key Management).