Sorry, we're cash only. (hacksoc)

Transcript

1. sorry, we’re cash only. Henri Watson

2. $ whoami • First year student • Lived in the

   Dominican Republic for 13 years • Lived in California for 5 years. • I dig • Payments technologies (obviously) • Security UX • Public transportation • Embedded devices

3. Every single one of us in here has a card

   with one of these logos on it.

4. We all care about making sure our bank cards remain

   secure.

5. http://help2.talktalk.co.uk/oct22incident

6. All the major card networks agree on a baseline set

   of security standards.
7. None
8. None
9. None

10. http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

11. None

12. Imagine you’re at McDonald’s, hungry, and need to quickly pay

    for your 20pc Chicken McNuggets, Big Mac, Chicken Mayo, McFlurry, and Ranch BLT.

13. Your card certainly has one of these

14. Let’s go back to 1960. https://en.wikipedia.org/wiki/File:2._Front_of_first_mag_striped_encoded_plastic_card.JPG

15. %B6011898748579348^DOE/ JOHN ^37829821000123456789? Track 1 Track 2 stores the same

    but lacks cardholder name. Track 3 usually isn’t present in EU cards.

16. Prefix based routing is used for the PAN. https://en.wikipedia.org/wiki/Bank_card_number

17. http://www.binlist.net Prefix based routing is used for the PAN.

18. The service code helps define transaction rules. First digit 1:

    International interchange OK 2: International interchange, use IC (chip) where feasible 5: National interchange only except under bilateral agreement 6: National interchange only except under bilateral agreement, use IC (chip) where feasible 7: No interchange except under bilateral agreement (closed loop) 9: Test Second digit 0: Normal 2: Contact issuer via online means 4: Contact issuer via online means except under bilateral agreement Third digit 0: No restrictions, PIN required 1: No restrictions 2: Goods and services only (no cash) 3: ATM only, PIN required 4: Cash only 5: Goods and services only (no cash), PIN required 6: No restrictions, use PIN where feasible 7: Goods and services only (no cash), use PIN where feasible https://en.wikipedia.org/wiki/Magnetic_stripe_card

19. http://hackaday.com/2015/11/25/defeating-chip- and-pin-with-bits-of-wire/

20. http://samy.pl/magspoof/meter-small2.gif

21. http://cdn1.tnwcdn.com/wp- content/blogs.dir/1/files/2014/08/0822_coin2.jpg

22. If your bank blindly trusts magstripe data, I have a

    pair of scissors up here.

23. Offline transactions are super dangerous with magstripe.

24. Card terminal (terminal) Acquiring institution (WorldPay, iZettle) Issuing institution (Barclays,

    HSBC, RBS) At the point of purchase £5? £5?

25. Card terminal (terminal) Authorising institution (WorldPay, iZettle) Issuing institution (Barclays,

    HSBC, RBS) At the point of purchase OK #1234 OK #1234

26. Card terminal (terminal) Acquiring institution (WorldPay, iZettle) Issuing institution (Barclays,

    HSBC, RBS) Sometime later (usually 9PM next day) #1234? #1234?

27. Sometime later (usually 9PM next day) OK #1234 OK #1234

    Disbursement to merchant (Bacs, FasterPayments) Acquiring institution (WorldPay, iZettle) Issuing institution (Barclays, HSBC, RBS)

28. Splitting authorisation and capturing into two separate steps prevents half-complete

    transactions from being charged to the cardholder.

29. These may show up as Processing in Online Banking (Bank

    of America Online Banking. Authorised using Stripe)

30. Even after authorisation, the merchant has no assurance regarding the

    card’s legitimacy.

31. The card isn’t able to strongly define processing rules and

    is easily cloned.

32. So, what can we do to make card payments safer?

33. Your card might not have a chip

34. …but hopefully it does

35. Your card also might have one of these on it

36. Alternatively, your phone might have this

37. In 1993 Europay, MasterCard, and Visa began developing the EMV

    specification.

38. The authorisation flow is identical but data is read from

    the card over the smartcard interface instead.

39. EMV attempts to provide a secure payments environment in an

    assumed hostile environment.

40. Applications on the card are discovered using the 1PAY.SYS.DDF01 selector.

41. Multiple applications per card are used in the United States

    to allow debit cards to be run in stores over the credit network or the debit network. * Supporting this is legally required as a result of the Durbin Amendment

42. (Bank of America US Debit Card issued in 2014. Inspected

    using Cardpeek.) EMV-wide payment card application selector MasterCard Debit application used for most transactions. US Debit application, used for ATMs and Durbin.

43. (Barclays UK Debit Card issued in 2015. Inspected using Cardpeek.)

    EMV-wide payment card application selector Visa Debit application, used for most transactions. Link application, used by UK-only ATMs. CAP application, used by online banking login.

44. (Banesco DO Debit Card issued in 2014. Inspected using Cardpeek.)

    EMV-wide payment card application selector Visa Debit application, used for most transactions.

45. The terminal selects an application either using preprogramed rules or

    by asking the user.
46. None

47. The card returns a Processing Options Data Objects List, instructing

    the terminal to supply information about the transaction.

48. The terminal responds to the PDOL and issues a GET

    PROCESSING OPTIONS command to ask the card how to set up the transaction.

49. An Application Interchange Profile is provided to signal pre-authorisation requirements.

    An Application File Locator is used to indicate card data files.

50. The terminal checks if it is allowed to process the

    transaction.

51. Static Data Authentication verifies a signature against the card data

    to provide offline assurance of integrity.

52. Dynamic Data Authentication asks the card to sign a nonce

    in order to verify the card has not been tampered with or cloned.

53. DDA does not prevent MITMing transaction parameters to force offline

    transactions. https://eprint.iacr.org/2015/963.pdf

54. At the point of purchase Card Terminal Modified Card £5?

55. At the point of purchase Card Terminal Modified Card OK

    OFFLINE #5678

56. Card terminal (terminal) Acquiring institution (WorldPay, iZettle) Issuing institution (Barclays,

    HSBC, RBS) Sometime later (usually 9PM next day) #5678? #5678?

57. Sometime later (usually 9PM next day) FAIL Bad card FAIL

    Bad card Merchant notified Acquiring institution (WorldPay, iZettle) Issuing institution (Barclays, HSBC, RBS)

58. Combined Data Authentication combines DDA with cryptogram generation to prevent

    MITM tampering.

59. The card provides a list of Cardholder Verification Methods in

    order of preferred usage.
60. None

61. (Bank of America US Debit Card issued in 2014. Inspected

    using Cardpeek.) A signature preferring card places strict conditions on where a PIN can be used.

62. (Barclays UK Debit Card issued in 2015. Inspected using Cardpeek.)

    A PIN preferring card will place no restrictions on using a PIN.

63. Offline PIN verification can be MITMed by a bad terminal

    as the PIN is sent in plaintext. https://www.cl.cam.ac.uk/~osc22/docs/mphil_acs_osc22.pdf

64. EVM provides no way to check whether the PIN was

    actually verified. https://www.cl.cam.ac.uk/research/security/banking/nopin/oakland10chipbroken.pdf

65. Card terminal (terminal) Intercepting device Bank card At the point

    of purchase Verify 9999

66. At the point of purchase PIN OK Used signature Card

    terminal (terminal) Intercepting device Bank card

67. Following CVM execution, the terminal performs risk management assessment.

68. The card can force the transaction to fail offline using

    Issuer Action Codes.

69. Using the Terminal Verification Results, the terminal decides whether an

    offline approval or decline should occur or whether it should go online.

70. The terminal passes the TVR to the card along with

    a Card Data Object List reply, which specifies transaction parameters the card wishes to evaluate.

71. This step allows the card to override the terminal’s risk

    assessment using the CDOL1 data.

72. The card returns one of three cryptograms to confirm the

    transaction. Transaction Certificate Offline approval Application Authentication Cryptogram Offline decline Authorization Request Cryptogram Online approval
73. None

74. If a Authorization Request Cryptogram was returned, the terminal goes

    online and seeks approval.

75. After receiving a reply, the terminal sends CDOL2 data to

    the card which allows it to reset offline spending limits and update the transaction counter.

76. Please remove card.

77. EMV aspires to provide trust mechanisms but succumbs to backwards

    compatibility issues.

78. http://dev.inversepath.com/download/emv/emv_2011.pdf Although the CVM might be signed, you can’t force

    signature verification.

79. http://www.telegraph.co.uk/finance/personalfinance/bank-accounts/6338659/Bank-payments- 13-months-to-dispute-suspicious-transactions.html

80. EMV’s complexity makes it difficult to discover security flaws.

81. Even if EMV had no flaws, card-not-present transactions only need

    a card number and expiration date

82. Ultimately, insurance covers the gaps left by insecurity.

83. Thanks! @henriwatson [email protected] https://henriwatson.com/talks/cashonly