Security analysis of operations on EMV cards

Properties of the microprocessor card, allowing to increase the security of operations

The most important property of a microprocessor card (MPC) is the support of cryptographic functions by the operating system of the card. The use of these functions by the card application can significantly improve the security of payment transactions.

The tasks solved by the IPC application to improve the security of plastic card transactions are listed below.
1. The most important basic task solved by the card application using cryptographic methods is to ensure reliable authentication of the card application (more often they say, and we will support this terminology, card authentication, although it is more correct to talk about application authentication). In this case, card authentication is understood as the process of proving that this card (application) was issued by a bank authorized by the relevant payment system. The successful authentication of the card means that the fact of the issue of the card in question by Bank X, which is a member of the payment system Y, has been proven, which allowed Bank X to issue cards of the payment system Y. The reliability of proof of the fact of issuing a particular card by an authorized issuer depends on the method of card authentication.
Briefly recall the general information about the methods of card authentication. Card authentication methods are divided into offline and online. The latest version of the EMV standard (v. 4.1) distinguishes three methods of offline card authentication:
* SDA (Static Data Authentication)
• DDA (Dynamic Data Authentication)
• CDA (Combined Dynamic Data Authentication/AC Generation).

The first authentication method in the list belongs to the class of static authentication methods, while the last two belong to dynamic authentication methods.
The SDA method ensures the integrity of the data critical for the card application, as well as the impossibility of creating a card from a “white sheet”. In essence, the method is an analogue of CVV/CVC for a microprocessor card.
The methods of dynamic authentication of the card consist in verification by the terminal of the data signed by the card generated by the terminal (with the mandatory use of a random number generated by the terminal). Authentication of the card in this case guarantees, at the level of cryptographic strength of the RSA algorithm, the fact that the card contains a chip personalized by the issuer authorized by the payment system to issue the cards. To implement dynamic card authentication methods, the support of the RSA algorithm by the card chip is required.

The CDA method, in addition to dynamic authentication of the card, additionally ensures the integrity of the most critical information exchange data in the card-terminal dialog (CID and transaction details). This is achieved by combining the card authentication procedure with the Generate AC command, during which the most important data is exchanged between the card and the terminal.
Dynamic authentication methods automatically include static authentication, which is performed as part of the verification procedure for the card’s public key certificate.
From the above it follows that from the point of view of ensuring the security of a card transaction, the most reliable method of offline authentication is CDA. Next are the DDA and SDA methods. At the same time, the SDA method does not even protect the microprocessor card (hereinafter referred to as MPC) from cloning it for use in offline operations.

The choice of the offline authentication method is made by the terminal based on the AIP data and the terminal capabilities determined by the value of the third byte of the Terminal Capabilities data object (Tag ‘9F33’).
In accordance with the rules of payment systems, all cards (with the exception of the so-called “ATM only” cards) must support the SDA method, terminals – SDA and DDA (with the exception of “Online only” terminals). In addition, the general trend is that terminals and cards are starting to move towards supporting CDA and DDA, respectively. It is very likely that in the next decade, CDA support will become mandatory for all terminals and cards with offline mode of operation (offline capable). So far, the plans of the MasterCard system are to start from January 2011. make it mandatory to support the CDA method for all new offline capable terminals and the DDA method for all new offline capable cards.
Since card authentication is an important element of the issuer’s decision-making on the result of transaction authorization, the issuer should be able to verify that the card authentication has been performed by the terminal. This is required in order to avoid fraud on the part of an unscrupulous merchant or service bank claiming that the card authentication has been performed, although this does not correspond to reality. The reason for deception may be the savings of a trading company or a servicing bank to support the card authentication function at the POS terminal. There is a mechanism for verifying that the card authentication is performed by the terminal in the EMV standard (Data Authentication Code for the case of static authentication and ICC Dynamic Number for the case of dynamic card authentication).

Obviously, the IPC is a microcomputer capable of processing input data received from the terminal and (or) the card issuer. Data processing is reduced to performing a number of checks, according to the results of which the card makes a decision on the result of processing the transaction. Sometimes the card simply “voices” the decision received from the issuer. In some cases, the card independently makes a decision delegated to it by the issuer using the appropriate configuration of the card application.

Examples of checks performed by the card are card verification of the cardholder’s PIN code, checks related to risk management (card risk management), authentication of the card issuer, checks confirming the integrity of the information received from the issuer.

In the case of an offline transaction, the issuer fully delegates to the card the function of making a decision on the result of the operation. Obviously, only the decisions of the card, the authenticity of which is proven, can be trusted. That’s why its reliable authentication is so important.

 

The card is authenticated by the terminal and/or the card issuer. In offline operations, card authentication is carried out only by the terminal. In the case of an online transaction, the authentication of the card can be carried out by both the terminal and the issuer (for terminals operating only in real time, the so-called online only terminal, it is allowed that the authentication of the card is carried out only by its issuer).
Obviously, card authentication is an effective means of combating counterfeit cards (counterfeit). That is why payment systems have introduced the chip liability shift, formulated as follows. If fraud of the “fake card” type occurred in a terminal that supports only cards with a magnetic stripe, according to the IPC, then the bank servicing the terminal is responsible for fraud. The shift of responsibility is still intra-regional in nature (it is valid in the case when the servicing bank and the card issuer are residents of the same region of the payment system). However, the movement towards the globalization of the shift of responsibility in the largest payment systems has already begun.
2. In the process of executing an online transaction, the IPC interacts with its issuer. The issuer informs the card of its final decision on the authorization of the operation (to reject or approve the operation). In addition, the issuer can send commands to the card, with the help of which individual data of the card application will be modified, or the card application or even the entire card will be blocked. The issuer’s commands modifying the card data are obviously used not only during the execution of the transaction, but also at the stage of card personalization.
In order to increase confidence in the issuer’s decisions (to avoid forgery of the issuer’s decision by a third party), it is required to provide for the card to authenticate its issuer. The issuer’s authentication is ensured by checking with the card a special data element (ARPC) received by the card from the issuer’s authorization response, as well as by checking with the card the values of the message authentication code (MAC) contained in the commands coming to the card from the issuer.
3. The IPC guarantees to the issuer that the holder of his card cannot refuse the result of the performed operation (non-repudiation). This is ensured by the fact that for each operation, the issuer receives at its disposal a special applied cryptogram, which is a signature of the most critical transaction data made using the card key. The compliance of the applied cryptogram with the transaction data and the card key confirms the fact of its execution using the issuer’s card.
4. IPC allows you to verify the integrity of data exchange between the card and the issuer, as well as the card and the terminal. Ensuring the integrity of the information exchange between the issuer and the card is carried out by using the MAC value contained in the commands sent by the issuer to the card. The integrity of data exchange between the card and the terminal is ensured using the procedure of combined generation of an applied cryptogram and dynamic authentication of the card (combined dynamic data authentication, application cryptogram generation). Thanks to this procedure, it becomes possible to electronically sign the most critical data of the information exchange of the card with the terminal.
5. IPC allows you to ensure the confidentiality of data in the information exchange between the card and the issuer, the card and the terminal. The confidentiality of the data circulating between the card and the issuer is ensured by encrypting the secret data contained in the issuer’s commands using a symmetric encryption algorithm (3DES). The confidentiality of the PIN code value when it is checked by the card in offline mode is ensured using an asymmetric encryption algorithm (RSA).
Real security of microprocessor cards

In this section, we will try to assess the real security of operations performed using IPC. This estimate will be obtained taking into account the fact that today in the world a significant part of the terminal equipment for card servicing (73% of POS terminals and 84% of ATMs according to data for the second quarter of 2007) accepts only cards with a magnetic stripe and most of the issued cards are cards with a magnetic stripe only (about 83% according to data for the 2nd quarter of 2007). This fact has a significant impact on the security of card transactions, if only because many transactions are still processed using magnetic stripe technology that is vulnerable from a security point of view.
Indeed, if we denote by A the share of microprocessor cards, and by B the share of terminals capable of servicing IPCs, then as a rough estimate of the number of operations performed using the chip, we can use the value AB. For example, if A = B = 70% (the values of A and B demonstrate a sufficiently mature stage of migration to the chip), then only about half of the operations will feel the advantages of microprocessor card technology in terms of increasing their security.
Below we will talk about other forms of influence of the “mixed” nature of today’s card world, in which there are cards and terminals that support only the magnetic stripe, on the security of card transactions.
The analysis will be carried out in the form of an assessment of the security of operations in the context of the main types of fraud mentioned earlier.
Fake microprocessor cards

Let’s start with the most common type of fraud — fake cards. It has already been said that the methods of dynamic authentication of the card (online and offline) deal a crushing blow to this type of fraud. Without knowing the corresponding key of the card or the issuer or the system, it is impossible to forge a chip card at the level of cryptographic strength of the RSA algorithm in the case of offline dynamic authentication of the card and the 3DES algorithm for online authentication.

At the same time, if the cards are incorrectly personalized or a weak authentication method is chosen, fraud of the “fake card” type is possible. Below we will try to systematize the possible ways of card forgery.
So, let’s imagine that in our left hand we have a real hybrid card issued by a participating bank of some payment system, and in our right hand we have a “clean” blank for a hybrid card or a card with a magnetic stripe. In addition, like any self-respecting fraudster, we have a programmer for the chip used on the card blank, a means of personalizing the magnetic stripe of the card, as well as a machine for personalizing plastic (printing, embossing, etc.).

Depending on which card is in our left hand, we will offer various methods of fraud of the “Fake Card” type, in which, based on the data of the card of the left hand in the right hand, we will have a card that, under certain circumstances, can be successfully used in the payment network.
First of all, we will divide all possible methods of fraud into two classes: chip forgery and card magnetic stripe forgery.
Fake magnetic stripe. Possible schemes for counterfeiting the magnetic stripe of a hybrid card

In order to increase the level of information protection, leading payment systems over the past few years have required their banks to participate in VISA account information security and MasterCard site data protection programs. These programs require banks to monitor the online stores they serve in terms of meeting a number of security requirements. Such safety requirements include:
* support of network access protection tools (firewall) on the merchant’s server;
* encryption of confidential data during their storage and transmission;
* use of up-to-date antivirus programs;
* timely application of “security patches” in the software used;
* use of procedures for delimiting access to servers and data;
* performing continuous audits of online store security systems.

At the end of 2004, the Plastic card industry data security standard (PCI DSS) was used as the basis for data protection programs of two leading payment systems. The standard includes 12 top-level requirements that must be met by the information systems of any (including online) store or third-party processor. These requirements are listed below:
1. To protect network access to servers storing card information, it is necessary to use specialized hardware and software Firewall. Firewall settings that determine the allowed network traffic must be constantly monitored.
2. You cannot use the default values of passwords and other security parameters in the systems used by the store. As an example to illustrate, the use of default values of the WEP protocol parameters used to ensure the security of Wi-Fi wireless radio communications when using the IEEE 802.11b standard leads to the fact that most devices of this standard currently do not support the required level of security.
3. The stored card data must be protected (by encryption, hashing or truncation of the stored information). In systems of commercial enterprises should not be stored information (even encrypted) used for authentication of the card holder (e.g., the values of the PVV, the second track magnetic stripe card, etc.).
4. The network transmissions card holder must be securely encrypted (you can also use symmetric algorithms 3DES with key not less than 112 bits, AES with a key length of 256 bits and asymmetric RSA algorithm with a key length of 1024 bits).
5. It is necessary to use and regularly update antivirus software.
6. You need to pay attention to the detection and remediation of vulnerabilities used to store the software (in time to use modification, remediate detected vulnerabilities, install the testing process developed his forces to detect vulnerabilities, use the best practices of developing new, etc.).
7. Use limit employee access commercial enterprise only to functions and information that they need for their activities.
8. Each user of the store’s processing system must have a unique identifier used for authentication within the system. The uniqueness of the identifier allows not only to ensure access differentiation in the system, but also allows you to track the actions of all employees in the store’s information system.
9. Physical access of store employees to servers storing card databases should be restricted. This avoids the possibility of writing information to external media, replacing and stealing equipment that stores sensitive information. Physical access should also be restricted to telecommunication resources through which access to servers is possible (in particular, to wireless access points).
10. It is necessary to monitor access to Card Databases using mechanisms for logging system user activity related to access to the system, authentication attempts, etc
11. It is necessary to regularly audit and test the store’s security systems. The servicing bank is represented by the cashier of the trading company, who does not always follow the instructions of the bank when accepting cards. Microprocessor cards, which will be discussed later, are fundamentally capable of increasing the level of card security.
12. It is necessary to maintain a security policy within the company that clearly defines for each employee of the online store the requirements imposed on him from the point of view of maintaining the security of the store system as a whole.

Depending on the potential threat of access to card information stored in the information systems of stores and third-party processors, payment systems divide stores and processors into several levels and determine the following types of activities that are regularly carried out to assess the level of compliance of the store with the PCI DSS standard:
* security audit conducted directly in the trading company;
* self-assessment of the security system of the store (processor) according to the questionnaire offered by the payment system;
* network scanning of card data access.

As noted earlier, unfortunately, not all trading enterprises meet the requirements of PCI DSS. Many trading enterprises refer to the high cost of upgrading the hardware and software used by them today for processing card transactions. In mid-2007, Visa announced the launch of a new dynamic authorization system, Visa Advanced Authorization, which has high hopes for combating fraud. The Visa system uses a neural network-based solution that allows real-time evaluation of each Visa card transaction in terms of potential fraud. As a result, each issuer will receive an assessment within the authorization that the authorization is fraudulent.

In conclusion, it should be said that the problem of card fraud is urgent and threatens the existence of plastic card technology. The possibilities of cards with a magnetic stripe in countering fraud are very limited. A card with a magnetic stripe is only a carrier of a small amount of information. Therefore, only the issuer and the servicing bank, which do not have their full-fledged representatives at the point of sale, can counteract fraud. Even assuming the online nature of all card transactions, the capabilities of the issuer and the servicing bank are very limited. In most cases, the issuer can only verify the correctness of the static data of the card received when performing a cashless purchase operation, and analyze how this operation is characteristic of this client using the moni program.