[My personal opinion]
[03 Oct 2021] Apparently, this kind of claims will never end. Here is another one
Well, it is a variant of #3 below by replacing a card with an iPhone. There is no need to analyse further on its effectiveness or exploitability.
[10 Aug 2019] Revision notes: When a new alleged attack against an EMV card, I will record it here, rather than write a new piece.
4. On 29 July 2019, a claim was made "Visa card vulnerability can bypass contactless limits" with some seemingly convincing details such as "First, the device tells the card that verification is not necessary, even though the amount is greater than £30. The device then tells the terminal that verification has already been made by another means. This attack is possible because Visa does not require issuers and acquirers to have checks in place that block payments without presenting the minimum verification."
Well, the above is not specified in any EMV card. A very simple rule is: for any offline transaction, it is the SE (Secure Element), i.e. the card) to make the final decision, not the terminal, neither the CD (Consumer Device, i.e the phone).
Because no more details have been revealed on the alleged attack and what the disclosed is nothing to do with an EMV card, Visa wasn't impressed by this claim at all with no more action.
My comment is "Visa is correct."
Note: for online transactions, none of alleged attacks in this blog is relevant.
[Below is the first write-up, if you would like to know what has happened. The Cambridge University attack claim is highly recommended to read. :)]
Every a while, we would read headlines on the Internet of frightening stories on Chip-and-PIN card attacks, such as the following three:
1. Chip and PIN is broken, 11 Feb 2010 (https://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/)
2. Cloning chip-and-PIN cards: Brazilian job, 09 Mar 2018 (https://www.kaspersky.com/blog/chip-n-pin-cloning/21502/)
and
3. Secret Service Warns of Chip Card Scheme, 05 Apr 2018 (https://krebsonsecurity.com/2018/04/secret-service-warns-of-chip-card-scheme/)
By reading the headings alone, one would wonder whether the Chip-and-PIN scheme (a.k.a. EMV) has some security concerns because these headlines, more or less, implicitly lead readers to think to the direction that Chip-and-PIN might have security problems.
However, as a matter of fact, none of the above headlines is true.
The fallacy of #1 is well understood - it assumed that the card accepting terminal (i.e. the POS terminal in the film) asked a PIN but not to check if a PIN verification had been performed (a field of CVR that the terminal should read and check). It goes like that: the terminal asks for a PIN, after the PIN is entered, the terminal is not bothered to check if the PIN verification has been performed by the card. There are detailed explanations in the comments followed in the link of #1.
The #2 recycles the Yes-card attack known about 20 years ago - a card always says "PIN OK" to any PIN entered (The sentence "You read that right: The cybercriminals’ app can say a PIN is valid, no matter what PIN was entered."). This is the whole point why DDA (Dynamic Data Authenticate) is designed in a Chip-and_PIN card to ensure that a card valid when used offline. The attack on #2 has nothing to do with the Chip-and-PIN scheme because a Yes-card won't work without a successful DDA.
The #3 is, in essence, about using a valid stolen Chip-and-PIN card. If one valid card is stolen and the card loss has not been reported yet, a crook can spend the card with a limited amount that no PIN is required, especially in contactless case. This risk is well recognised and this is why a card is limited on contactless or offline spending. The #3 actually suggests that there is a way to steal a large amount of genuine cards, and the period of reporting loss could be very long - a new corporate card may not be used for a long time after activation. This could happen to the scenarios as described in #3 but, again, it has nothing to do with Chip-and-PIN. The PIN even not involved. In addition, the use of a chemical lab to fabric fake cards is not impressive either, there are more cost effective ways to fool a user to activate a corporate card.
These articles worth having a look to know the crook's ideas, but we shouldn't be influenced by the simple claims on their headlines.
No comments:
Post a Comment