sorry, we're cash only. (securi-tay)

by Harley Watson

Slide 1

Slide 1 text

sorry, we’re cash only. Henri Watson

Slide 2

Slide 2 text

$ whoami • First year student at Abertay • Lived in the Dominican Republic for 13 years • Lived in California for 5 years • I dig • Payments technologies (obviously) • Security UX • Embedded devices • Public transportation

Slide 3

Slide 3 text

Every single one of us in here has a card with one of these logos on it.

Slide 4

Slide 4 text

We all care about making sure our bank cards remain secure.

Slide 5

Slide 5 text

http://help2.talktalk.co.uk/oct22incident

Slide 6

Slide 6 text

All the major card networks agree on a baseline set of security standards.

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

Imagine you’re at McDonald’s, hungry, and need to quickly pay.

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

Your card certainly has one of these

Slide 15

Slide 15 text

Let’s go back to 1960. https://en.wikipedia.org/wiki/File:2._Front_of_first_mag_striped_encoded_plastic_card.JPG

Slide 16

Slide 16 text

%B4215141202902305^WATSON/H^1102121000000000000000123000000? Track 1

Slide 17

Slide 17 text

;4215141202902305=110212112242767? Track 2 Track 3 usually isn’t present in EU cards anymore.

Slide 18

Slide 18 text

Prefix based routing is used for the PAN. https://en.wikipedia.org/wiki/Bank_card_number

Slide 19

Slide 19 text

http://www.binlist.net Prefix based routing is used for the PAN.

Slide 20

Slide 20 text

The service code helps define transaction rules. First digit 1: International interchange OK 2: International interchange, use IC (chip) where feasible 5: National interchange only except under bilateral agreement 6: National interchange only except under bilateral agreement, use IC (chip) where feasible 7: No interchange except under bilateral agreement (closed loop) 9: Test Second digit 0: Normal 2: Contact issuer via online means 4: Contact issuer via online means except under bilateral agreement Third digit 0: No restrictions, PIN required 1: No restrictions 2: Goods and services only (no cash) 3: ATM only, PIN required 4: Cash only 5: Goods and services only (no cash), PIN required 6: No restrictions, use PIN where feasible 7: Goods and services only (no cash), use PIN where feasible https://en.wikipedia.org/wiki/Magnetic_stripe_card

Slide 21

Slide 21 text

http://samy.pl/magspoof/meter-small2.gif

Slide 22

Slide 22 text

http://cdn1.tnwcdn.com/wp- content/blogs.dir/1/files/2014/08/0822_coin2.jpg

Slide 23

Slide 23 text

If your bank blindly trusts magstripe data, please destroy your card.

Slide 24

Slide 24 text

Offline transactions are super dangerous with magstripe.

Slide 25

Slide 25 text

Card terminal (terminal) Acquiring institution (WorldPay, iZettle) Issuing institution (Barclays, HSBC, RBS) At the point of purchase £5? £5?

Slide 26

Slide 26 text

Card terminal (terminal) Authorising institution (WorldPay, iZettle) Issuing institution (Barclays, HSBC, RBS) At the point of purchase OK #1234 OK #1234

Slide 27

Slide 27 text

Card terminal (terminal) Acquiring institution (WorldPay, iZettle) Issuing institution (Barclays, HSBC, RBS) Sometime later (usually 9PM next day) #1234? #1234?

Slide 28

Slide 28 text

Sometime later (usually 9PM next day) OK #1234 OK #1234 Disbursement to merchant (Bacs, FasterPayments) Acquiring institution (WorldPay, iZettle) Issuing institution (Barclays, HSBC, RBS)

Slide 29

Slide 29 text

Splitting authorisation and capturing into two separate steps prevents half-complete transactions from being charged to the cardholder.

Slide 30

Slide 30 text

These may show up as Processing in Online Banking (Bank of America Online Banking. Authorised using Stripe)

Slide 31

Slide 31 text

Even after authorisation, the merchant has no assurance regarding the card’s legitimacy.

Slide 32

Slide 32 text

The card isn’t able to strongly define processing rules and is easily cloned.

Slide 33

Slide 33 text

So, what can we do to make card payments safer?

Slide 34

Slide 34 text

Your card might not have a chip

Slide 35

Slide 35 text

…but hopefully it does

Slide 36

Slide 36 text

Your card also might have one of these on it

Slide 37

Slide 37 text

Alternatively, your phone might have this

Slide 38

Slide 38 text

In 1993 Europay, MasterCard, and Visa began developing the EMV specification.

Slide 39

Slide 39 text

The authorisation flow is identical but data is read from the card over the smartcard interface instead.

Slide 40

Slide 40 text

EMV attempts to provide a secure payments environment in an assumed hostile environment.

Slide 41

Slide 41 text

Applications on the card are discovered using the 1PAY.SYS.DDF01 selector for contact payments and 2PAY.SYS.DDF01 for contactless.

Slide 42

Slide 42 text

Multiple applications per card are used in the United States to allow debit cards to be run in stores over the credit network or the debit network. * Supporting this is legally required as a result of the Durbin Amendment

Slide 43

Slide 43 text

This is also used in Germany and Italy for dual-branded cards. (Girocard/Bancomat with Maestro/V Pay) Germany Italy

Slide 44

Slide 44 text

(Banesco DO Debit Card issued in 2014. Inspected using Cardpeek.) EMV-wide payment card application selector Visa Debit application, used for most transactions.

Slide 45

Slide 45 text

(Dual-branded Bancomat/Maestro card issued in December 2015. Inspected using Cardpeek.) EMV-wide payment card application selector PagoBANCOMAT application, used for Italian transactions. Maestro application, used for international tx.

Slide 46

Slide 46 text

(Dual-branded Girocard/Maestro card. Inspected using Cardpeek.) Legacy GeldKarte application, used for prepaid transactions. Maestro application, used for international transactions. GeldKarte application, used for prepaid transactions. Girocard application, used for German transactions. Euro Alliance of Payment Schemes, used for inter-EU transactions. Girocard application, used for German transactions. (1PAY.SYS.DDF01 not shown for brevity)

Slide 47

Slide 47 text

(Bank of America US Debit Card issued in 2014. Inspected using Cardpeek.) EMV-wide payment card application selector MasterCard Debit application, used for most transactions. US Debit application, used for ATMs and Durbin.

Slide 48

Slide 48 text

(Barclays UK Debit Card issued in 2015. Inspected using Cardpeek.) EMV-wide payment card application selector Visa Debit application, used for most transactions. Link application, used by UK-only ATMs. CAP application, used by online banking login.

Slide 49

Slide 49 text

The terminal selects an application either using preprogramed rules or by asking the user.

Slide 50

Slide 50 text

No content

Slide 51

Slide 51 text

The card returns a Processing Options Data Objects List, instructing the terminal to supply information about the transaction.

Slide 52

Slide 52 text

The terminal responds to the PDOL and issues a GET PROCESSING OPTIONS command to ask the card how to set up the transaction.

Slide 53

Slide 53 text

An Application Interchange Profile is provided to signal pre-authorisation requirements. An Application File Locator is used to indicate card data files.

Slide 54

Slide 54 text

The terminal checks if it is allowed to process the transaction.

Slide 55

Slide 55 text

Static Data Authentication verifies a signature against the card data to provide offline assurance of integrity.

Slide 56

Slide 56 text

Dynamic Data Authentication asks the card to sign a nonce in order to verify the card has not been tampered with or cloned.

Slide 57

Slide 57 text

DDA does not prevent MITMing transaction parameters to force offline transactions. https://eprint.iacr.org/2015/963.pdf

Slide 58

Slide 58 text

At the point of purchase Card Terminal Modified Card £5?

Slide 59

Slide 59 text

At the point of purchase Card Terminal Modified Card OK OFFLINE #5678

Slide 60

Slide 60 text

Card terminal (terminal) Acquiring institution (WorldPay, iZettle) Issuing institution (Barclays, HSBC, RBS) Sometime later (usually 9PM next day) #5678? #5678?

Slide 61

Slide 61 text

Sometime later (usually 9PM next day) FAIL Bad card FAIL Bad card Merchant notified Acquiring institution (WorldPay, iZettle) Issuing institution (Barclays, HSBC, RBS)

Slide 62

Slide 62 text

Combined Data Authentication combines DDA with cryptogram generation to prevent MITM tampering.

Slide 63

Slide 63 text

The card provides a list of Cardholder Verification Methods in order of preferred usage.

Slide 64

Slide 64 text

No content

Slide 65

Slide 65 text

(Bank of America US Debit Card issued in 2014. Inspected using Cardpeek.) A signature preferring card places strict conditions on where a PIN can be used.

Slide 66

Slide 66 text

(Barclays UK Debit Card issued in 2015. Inspected using Cardpeek.) A PIN preferring card will place no restrictions on using a PIN.

Slide 67

Slide 67 text

Offline PIN verification can be MITMed by a bad terminal as the PIN is sent in plaintext. https://www.cl.cam.ac.uk/~osc22/docs/mphil_acs_osc22.pdf

Slide 68

Slide 68 text

EVM provides no way to check whether the PIN was actually verified. https://www.cl.cam.ac.uk/research/security/banking/nopin/oakland10chipbroken.pdf

Slide 69

Slide 69 text

Card terminal (terminal) Intercepting device Bank card At the point of purchase Verify 9999

Slide 70

Slide 70 text

At the point of purchase PIN OK Used signature Card terminal (terminal) Intercepting device Bank card

Slide 71

Slide 71 text

Following CVM execution, the terminal performs risk management assessment.

Slide 72

Slide 72 text

The card can force the transaction to fail offline using Issuer Action Codes.

Slide 73

Slide 73 text

Using the Terminal Verification Results, the terminal decides whether an offline approval or decline should occur or whether it should go online.

Slide 74

Slide 74 text

The terminal passes the TVR to the card along with a Card Data Object List reply, which specifies transaction parameters the card wishes to evaluate.

Slide 75

Slide 75 text

This step allows the card to override the terminal’s risk assessment using the CDOL1 data.

Slide 76

Slide 76 text

The card returns one of three cryptograms to confirm the transaction. Transaction Certificate Offline approval Application Authentication Cryptogram Offline decline Authorization Request Cryptogram Online approval

Slide 77

Slide 77 text

No content

Slide 78

Slide 78 text

If a Authorization Request Cryptogram was returned, the terminal goes online and seeks approval.

Slide 79

Slide 79 text

After receiving a reply, the terminal sends CDOL2 data to the card which allows it to reset offline spending limits and update the transaction counter.

Slide 80

Slide 80 text

Please remove card.

Slide 81

Slide 81 text

EMV aspires to provide trust mechanisms but succumbs to backwards compatibility issues.

Slide 82

Slide 82 text

http://dev.inversepath.com/download/emv/emv_2011.pdf Although the CVM might be signed, you can’t force signature verification.

Slide 83

Slide 83 text

https://www.usenix.org/sites/default/files/conference/protected-files/roland_sec13_slides.pdf Contactless requires magstripe emulation support, enabling replay attacks.

Slide 84

Slide 84 text

EMV’s complexity makes it difficult to discover security flaws.

Slide 85

Slide 85 text

No content

Slide 86

Slide 86 text

http://www.telegraph.co.uk/finance/personalfinance/bank-accounts/6338659/Bank-payments- 13-months-to-dispute-suspicious-transactions.html

Slide 87

Slide 87 text

Even if EMV had no flaws, card-not-present transactions only need a card number and expiration date

Slide 88

Slide 88 text

Card number and expiration date are sent during every transaction (Barclays UK Debit Card issued in 2015. Inspected using Cardpeek.)

Slide 89

Slide 89 text

http://www.wired.com/wp-content/uploads/2015/09/UKPA-chart-showing-card-fraud.png

Slide 90

Slide 90 text

3-D Secure aspires to provide merchants with a mechanism to offload customer verification to the issuing institution.

Slide 91

Slide 91 text

Merchant Domain Interoperability Domain Issuer Domain Server side Card enrolled? Card enrolled?

Slide 92

Slide 92 text

Merchant Domain Interoperability Domain Issuer Domain Server side Yes, bank.co.uk Yes, bank.co.uk

Slide 93

Slide 93 text

Client side Merchant Domain Issuer Domain £5? Redirect/iframe

Slide 94

Slide 94 text

Client side Merchant Domain Issuer Domain OK Redirect

Slide 95

Slide 95 text

No content

Slide 96

Slide 96 text

No content

Slide 97

Slide 97 text

No content

Slide 98

Slide 98 text

No content

Slide 99

Slide 99 text

No content

Slide 100

Slide 100 text

No content

Slide 101

Slide 101 text

Ultimately, insurance covers the gaps created as a result of decades of backwards compatibility.

Slide 102

Slide 102 text

Thanks! @henriwatson [email protected] https://henriwatson.com/talks/cashonly