Chip Liability Shift

Obviously, card authentication is an effective means of combating counterfeit cards (Counterfeit). That is why payment systems have introduced the chip Liability Shift, worded as follows. If fraud of the “Fake card” type occurs on the MP K card in a terminal that supports only cards with a magnetic stripe, the Bank serving the terminal is responsible for the fraud.

The chip Liability Shift, when it appeared, had an intraregional character (it acted in the case when the servicing Bank and the card Issuer were residents of the same region of the payment system). However, the move towards globalisation of the shift of responsibility in the largest payment systems has led to it becoming largely interregional to date, and since October 1, 2015 (the start date of the liability shift in the United States for all outlets except gas stations) the liability shift will become almost international (its application will not depend on the location of the Issuer and the servicing Bank).

In the process of performing an online transaction, the IPC interacts with its Issuer. The Issuer informs the card of its final decision to authorize the operation (reject or approve the operation). In addition, the Issuer may send the map commands, which are modified specific data of the application card will be blocked either the maps app or even the whole map. The Issuer’s commands modifying the card data are obviously used not only during the execution of the transaction, but also at the stage of personalization of the card.

In order to increase the credibility of the Issuer’s decisions (to avoid forgery of the Issuer’s decision by a third party), it is required to provide for the card to authenticate its Issuer. Issuer authentication is provided by card verification of a special data element (ARPC) received by the card from the Issuer’s authorization response, as well as card verification of Message Authentication Code {MAO values contained in the commands received by the card from the Issuer.

• The IPC guarantees the Issuer that the cardholder cannot refuse the result of the performed operation {non-repudiation). This is ensured by the fact that for each transaction the Issuer receives at its disposal a special application cryptogram, which is a signature of the most critical data of the transaction, made using the card key. Compliance of the applied cryptogram with the transaction data and the card key confirms the fact of its execution using the Issuer’s card.

In version EMV 4.2, the cryptogram is formed using symmetric encryption, so the impossibility of refusing the operation is based on trust in the card Issuer: MPs in its rules rely entirely on the impeccable behavior of the Bank in relation to its client. However, today The EMVCo Association has started to develop a fundamentally new version of the EMV Next Generation standard, in which the cryptogram will be formed using an asymmetric encryption algorithm, and thus can be verified by a third party with the Issuer’s public key certificates and payment system.

MP K allows you to verify the integrity of data exchange between the card and the Issuer, as well as between the card and the terminal. The integrity of the information exchange between the Issuer of the application and the card application is ensured through the use of:

• The MAC value contained in the commands sent by the Issuer.;

• ARQC cryptogram, which is a transaction data signature made by the card application and sent by the terminal to the Issuer.

The integrity of the most critical data circulating between the terminal and the card (transmitted in the GET PROCESSING OPTIONS and GENERATE AC commands and responses to these commands) is ensured by the procedure of combined generation of the applied cryptogram and dynamic authentication of the card.

To ensure the integrity of the data read by the terminal at the beginning of the transaction processing, the method of static authentication of the SDA application data is used by using the MAC value contained in the commands sent by the Issuer to the card. The integrity of the data exchange between the card and the terminal is ensured by the procedure of combined generation of the applied cryptogram and dynamic authentication of the card (Combined Dynamic Data Authentication/Application Cryptogram Generation). Thanks to this procedure, it is possible to electronically sign the most critical data of the information exchange of the card with the terminal.

MPK allows you to ensure the confidentiality of data in the information exchange between the card and the Issuer, between the card and the terminal. The confidentiality of the data circulating between the card and the Issuer is ensured by encrypting the secret data contained in the Issuer’s commands using a symmetric encryption algorithm (3DES). The confidentiality of the PIN code value when it is checked by the card in the offline mode is ensured by the asymmetric encryption algorithm (RSA).

The IPC provides the Issuer with mechanisms for reliable verification (authentication) of the cardholder. Here, first of all, we should mention the ever-expanding use of chip cards for verification of the cardholder by means of offline verification by the card of the PIN code of its holder.

In addition, with the help of IPC and a special reader PCR (Personal Card Reader), two-factor authentication of the cardholder is implemented, used in CNP (Card Not Present) operations. The card, in response to the correct PIN value entered by the cardholder using the PCR, generates a one-time password using the card’s secret data, which is displayed on the reader screen and used by the cardholder to authenticate it in high-risk transactions.

MP It can provide the Issuer with a mechanism of counteracting the attempts of the crooks to pick up the keys of the application. For example, M / ChipA uses the following counters and their corresponding limits (upper limits):

• SMI session key counter— the number of incorrect checks by the m/ChipA application of the MAC value contained in the commands of the Issuer of the application;

• Session key counter-the number of times the session key of the application used to generate the cryptogram has been displayed since the last successful ARPC check)

• Bad cryptogram counter-the number of cases when the decrypted value of the PIN-block during the verification procedure of the cardholder using PIN Offline technology turned out to be incorrect (does not correspond to the ISO 2 format).

In view of the above, we can summarize the contribution made by the microprocessor card in improving the safety of operations. The microprocessor card provide:

• physical protection of data stored on the card (tamper resistant).responsive device);
reliable authentication of the card application by the terminal and (or) the Issuer of the application;
• reliable authentication of their application the Issuer application;
• secure cardholder verification with online or offline PIN verification;
• confirmation of the card transaction (impossibility for the cardholder to refuse the transaction);
• confidentiality and integrity of sensitive data in the “Issuer — card” and “terminal — card” dialogs»;
• option for the Issuer of the application to change application settings after the card issue to the cardholder (for example, block maps, change settings, risk management, etc.) with the data integrity of the command Issuer;
• reliable two-factor authentication of the cardholder in high-risk transactions;
• confirmation for the Issuer of the application of the fact that the terminal performs offline authentication of the card application;
• control of any attempts to compromise your keys by fraudsters.

Since the advent of the EMV standard, publications regularly appear in the professional press questioning the safety of operations performed on EMV cards. Examples of such publications are given below.

In the work of the team of specialists at the University of Cambridge (UK) discusses the attack, the aim of which is the use of a stolen (lost) microprocessor cards with sh (/app, which requires CVM List Offline PIN, while the PIN-bark fraudsters is unknown. To implement the attack, fraudsters install a special wedge-device between the card and the POS-terminal, which intercepts the VERIFY terminal command, without transmitting it to the card, and instead returns the PIN OK response to the terminal. As a result, the card application believes that a different method of cardholder verification than PIN Offline was used (bits 1,2,3 of byte 1 of CVR are 0, and bit 6 of byte 4 is 1). At the same time, the terminal believes that the verification of the cardholder by the PIN Offline method was successful and this fact is reflected in the CVM Results data object stored on the terminal. As a consequence, fraudsters can hope to successfully complete transactions in POS terminals (not ATMs, where the PIN Online method is used) without knowing the meaning of the PIN code.

Let’s explain the security mechanisms implemented in the m/ChipA application, with which you can prevent the attack described above.

Let us first consider the case when the authorization of the operation takes place online. The M / ChipA application checks the CVM Results value against the data of bit 6 of byte 4 Offline PIN Verification Not Performed, and if there is no match, sets bit 1 of byte 4 Terminal Erroneously Considers Offline PIN OK to 1. If bit 1 of byte 1 is set to 1 in the CIAC-Denial object, the transaction will be rejected. To avoid this result, the wedge-device changes the CVM Results data passed to the M/ChipA application in the GENERATE command (the CVM Results data object is in the CDOL1 list) so that it matches the CVR data and the map application does not learn anything.

Next, the card application will send the Issuer a cryptogram that corresponds to the CVR, where the offline PIN was not made. If the wedge-device tries to change the CVR value of the card application to indicate that the offline PIN is OK, the application Issuer will detect this when checking the transaction cryptogram.

Thus, in online transactions, all that is needed is for the servicing Bank to send to the Issuer, among other data, a CVM Results object. It is in the interest of the application Issuer to verify that CVM Results match CVR data.

Let us now consider an offline transaction. In this case, the emphasis is again on checking the correspondence between CVM Results and CVR, as well as using the CIAC-Denial mechanism (you need to set the terminal Erroneously Considers Offline PIN OK bit to 1). To prevent the wedge-device from tampering with CVM Results, it is sufficient to use the combined authentication mechanism of the CDA application.

Thus, to prevent the attack described earlier, it is necessary that application issuers verify compliance of CVM Results with CVR data in authorization requests, servicing banks send the CVM Results object to issuers, terminals and card applications support the CDA method.

In the publication of the company Inversepath describes the attacks aimed at stealing the PIN-code. The essence of these attacks is to change the CVM List. Such changes cause the card static data signature check to fail (CVM List is usually included in the list of static data to be signed), but this is not a reason to reject the transaction, but leads to its online maintenance. In this case, before sending an authorization request to the Issuer, the cardholder is verified by the plaintext PIN Offline method, considered as a priority method in the distorted CVM List.

In this way, using the wedge-device installed on the terminal, you can steal the PIN value.

This method of theft of the PIN code is a very complex and original. In addition, it does not give scammers all the data needed to clone the card by magnetic stripe. Scammers only have a Chip CVC/iCVV value different from the CVC/CVV on the magnetic stripe.

Today we can firmly say that the standard HAS already proven its reliability and provides a high level of security of operations on plastic cards. In addition, the standard IS constantly evolving, and its holder, the company EMVCo, is going to release a new version of the standard next Generation, the beginning of implementation of which is planned for 2025. the new version of the standard will pay considerable attention to improving the efficiency of the used transactional security mechanisms. In particular, it is assumed that asymmetric encryption algorithms based on elliptic curve mathematics are faster than RSA. This will make it possible to organize secure connections between card and terminal applications, use the cryptogram of the operation, formed on the basis of an asymmetric encryption algorithm (this will allow verification of the cryptogram by a third party) and much more.