Chip and Skim: cloning EMV cards with the pre-play attack

EMV, also known as "Chip and PIN", is the leading system for card payments worldwide. It is used throughout Europe and much of Asia, and is starting to be introduced in North America too. Payment cards contain a chip so they can execute an authentication protocol. This protocol requires point-of-sale (POS) terminals or ATMs to generate a nonce, called the unpredictable number, for each transaction to ensure it is fresh. We have discovered that some EMV implementers have merely used counters, timestamps or home-grown algorithms to supply this number. This exposes them to a "pre-play" attack which is indistinguishable from card cloning from the standpoint of the logs available to the card-issuing bank, and can be carried out even if it is impossible to clone a card physically (in the sense of extracting the key material and loading it into another card). Card cloning is the very type of fraud that EMV was supposed to prevent. We describe how we detected the vulnerability, a survey methodology we developed to chart the scope of the weakness, evidence from ATM and terminal experiments in the field, and our implementation of proof-of-concept attacks. We found flaws in widely-used ATMs from the largest manufacturers. We can now explain at least some of the increasing number of frauds in which victims are refused refunds by banks which claim that EMV cards cannot be cloned and that a customer involved in a dispute must therefore be mistaken or complicit. Pre-play attacks may also be carried out by malware in an ATM or POS terminal, or by a man-in-the-middle between the terminal and the acquirer. We explore the design and implementation mistakes that enabled the flaw to evade detection until now: shortcomings of the EMV specification, of the EMV kernel certification process, of implementation testing, formal analysis, or monitoring customer complaints. Finally we discuss countermeasures

An exploratory study in to the money laundering threats, vulnerabilities, and controls within the UK bookmaker sector, with a specific focus on Fixed-Odds Betting Terminals

The purpose of this exploratory study was to generate an understanding in to the money laundering threats, vulnerabilities and controls found within UK betting shops, with a direct focus on the exponential growth of Fixed-Odd Betting Terminals. Qualitative research methods facilitated eight semi-structured interviews with key stakeholders linked to the gambling and/or money laundering sphere. This included the Gambling Commission, Campaign for Fairer Gambling, an ex-Head of Security and Safety at a major bookmaker, and five regular Fixed-Odd Betting Terminal users. The interviews were recorded, transcribed and coded for thematic analysis, subsequently resulting in the emergence of four interesting and meaningful themes. These were (1) Ineffective CDD enforcement facilitating anonymity (2) Weak anti-money laundering safeguards unable to mitigate known threats (3) A lack of anti-money laundering training, awareness, and resources (4) The Gambling Commission’s attempt for increased anti-money laundering regulation unsuccessful. By allowing a phenomenological framework to guide the data collection process, the interpreted subjective views and experiences of the participants involved, although somewhat limited, indicate that money laundering threats within the bookmaker sector are inherently high, with a lack of effective safeguards in place to mitigate the identified vulnerabilities

The changing nature of U.S. card payment fraud: industry and public policy options

As credit and debit card payments have become the primary payment instrument in retail transactions, awareness of identity theft and concerns over the safety of payments has increased. Traditional forms of card payment fraud are still an important threat, but fraud resulting from unauthorized access to payment data appears to be rising, and we are only beginning to get a sense of the dimensions of the problem. ; Thus far, the role of public policy has been to encourage the card payment industry to limit fraud by developing its own standards and procedures. Whether this policy stance is sufficient depends on the effectiveness of industry efforts to limit fraud in light of the dramatic shift toward card payments. ; Sullivan provides an overview of card payment fraud in the United States. He develops a preliminary estimate of the rate of U.S. card payment fraud and suggests that such fraud is higher than in several other countries for which data are available. The U.S. payment industry is taking steps to combat payment fraud, but progress has been slowed by conflicts of interest, inadequate incentives, and lack of coordination. Thus, policymakers should monitor the card payment industry to see if it better coordinates security efforts, and if not, consider actions to help overcome barriers to effective development of security.

Maintaining consumer confidence in electronic payment mechanisms

Credit card fraud is already a significant factor inhibiting consumer confidence in e-commerce. As more advanced payment systems become common, what legal and technological mechanisms are required to ensure that fraud does not do long-term damage to consumers' willingness to use electronic payment mechanisms

Evaluating and designing a network and information security solution for a company in accordance with PCI DSS

The payment industry is slowly shifting away from cash purchases to payment card solutions. Crimes related to stealing funds are often due to thieves obtaining card information. The objective of this thesis was to understand a target company’s environment and define what actions are required to be taken to improve payment card security. The standard Payment Card Industry Data Security Standard(PCI-DSS) used worldwide the theoretical base and methodology of the thesis project. PCI clearly defines the requirements that must be fulfilled to guarantee that no outside parties can gain access to customer card data. The standard also offers self-assessment-questionnaires for companies to understand what exactly is required from their business. Different business solutions have different requirements, and therefore must adapt accordingly. During the thesis project, the company environment was assessed in accordance with PCI guidelines. With the scope established, it was possible to determine the points of improvement. The result of the thesis is an analysis and proposal to the target company to use for improving security. The report allows the company to understand how a single security breach can have enormous consequences on business continuity snd what repercussions may follow. To avoid such an event, the company should fix the problems explained

Heartland Payment Systems: lessons learned from a data breach

On August 13, 2009, the Payment Cards Center hosted a workshop examining the changing nature of data security in consumer electronic payments. The center invited the chairman and CEO of Heartland Payment Systems (HPS or Heartland), Robert (Bob) Carr, to lead this discussion and to share his experiences stemming from the data breach at his company in late 2008 and, as important, to discuss lessons learned as a result of this event. The former director of the Payment Cards Center, Peter Burns, who is acting as a senior payments advisor to HPS, also joined the discussion to outline Heartland's post-breach efforts aimed at improving information sharing and data security within the consumer payments industry. In conclusion, Carr introduced several technology solutions that are under discussion in payment security circles as ways to better secure payment card data as they move among the different parties in the card payment systems: end-to-end encryption, tokenization, and chip technology. While HPS has been very supportive of end-to-end encryption, each of these alternatives offers its own set of advantages and disadvantages.Payment systems ; Data protection ; Electronic commerce