https://krebsonsecurity.com/2020/07/is-your-chip-card-secure-much-depends-on-where-you-bank/ Advertisement RSS Feed Subscribe to RSS Twitter Follow me on Twitter Facebook Join me on Facebook [15] Krebs on Security In-depth security news and investigation Brian Krebs About the Author Advertising/Speaking --------------------------------------------------------------------- 30 Jul 20 Is Your Chip Card Secure? Much Depends on Where You Bank Chip-based credit and debit cards are designed to make it infeasible for skimming devices or malware to clone your card when you pay for something by dipping the chip instead of swiping the stripe. But a recent series of malware attacks on U.S.-based merchants suggest thieves are exploiting weaknesses in how certain financial institutions have implemented the technology to sidestep key chip card security features and effectively create usable, counterfeit cards. [chipcard] A chip-based credit card. Image: Wikipedia. Traditional payment cards encode cardholder account data in plain text on a magnetic stripe, which can be read and recorded by skimming devices or malicious software surreptitiously installed in payment terminals. That data can then be encoded onto anything else with a magnetic stripe and used to place fraudulent transactions. Newer, chip-based cards employ a technology known as EMV that encrypts the account data stored in the chip. The technology causes a unique encryption key -- referred to as a token or "cryptogram" -- to be generated each time the chip card interacts with a chip-capable payment terminal. Virtually all chip-based cards still have much of the same data that's stored in the chip encoded on a magnetic stripe on the back of the card. This is largely for reasons of backward compatibility since many merchants -- particularly those in the United States -- still have not fully implemented chip card readers. This dual functionality also allows cardholders to swipe the stripe if for some reason the card's chip or a merchant's EMV-enabled terminal has malfunctioned. But there are important differences between the cardholder data stored on EMV chips versus magnetic stripes. One of those is a component in the chip known as an integrated circuit card verification value or "iCVV" for short -- also known as a "dynamic CVV." The iCVV differs from the card verification value (CVV) stored on the physical magnetic stripe, and protects against the copying of magnetic-stripe data from the chip and the use of that data to create counterfeit magnetic stripe cards. Both the iCVV and CVV values are unrelated to the three-digit security code that is visibly printed on the back of a card, which is used mainly for e-commerce transactions or for card verification over the phone. The appeal of the EMV approach is that even if a skimmer or malware manages to intercept the transaction information when a chip card is dipped, the data is only valid for that one transaction and should not allow thieves to conduct fraudulent payments with it going forward. However, for EMV's security protections to work, the back-end systems deployed by card-issuing financial institutions are supposed to check that when a chip card is dipped into a chip reader, only the iCVV is presented; and conversely, that only the CVV is presented when the card is swiped. If somehow these do not align for a given transaction type, the financial institution is supposed to decline the transaction. The trouble is that not all financial institutions have properly set up their systems this way. Unsurprisingly, thieves have known about this weakness for years. In 2017, I wrote about the increasing prevalence of "shimmers," high-tech card skimming devices made to intercept data from chip card transactions. [ca-shim2] A close-up of a shimmer found on a Canadian ATM. Source: RCMP. More recently, researchers at Cyber R&D Labs published a paper detailing how they tested 11 chip card implementations from 10 different banks in Europe and the U.S. The researchers found they could harvest data from four of them and create cloned magnetic stripe cards that were successfully used to place transactions. There are now strong indications the same method detailed by Cyber R& D Labs is being used by point-of-sale (POS) malware to capture EMV transaction data that can then be resold and used to fabricate magnetic stripe copies of chip-based cards. Earlier this month, the world's largest payment card network Visa released a security alert regarding a recent merchant compromise in which known POS malware families were apparently modified to target EMV chip-enabled POS terminals. "The implementation of secure acceptance technology, such as EMV(r) Chip, significantly reduced the usability of the payment account data by threat actors as the available data only included personal account number (PAN), integrated circuit card verification value (iCVV) and expiration date," Visa wrote. "Thus, provided iCVV is validated properly, the risk of counterfeit fraud was minimal. Additionally, many of the merchant locations employed point-to-point encryption (P2PE) which encrypted the PAN data and further reduced the risk to the payment accounts processed as EMV(r) Chip." Visa did not name the merchant in question, but something similar seems to have happened at Key Food Stores Co-Operative Inc., a supermarket chain in the northeastern United States. Key Food initially disclosed a card breach in March 2020, but two weeks ago updated its advisory to clarify that EMV transaction data also was intercepted. "The POS devices at the store locations involved were EMV enabled," Key Food explained. "For EMV transactions at these locations, we believe only the card number and expiration date would have been found by the malware (but not the cardholder name or internal verification code)." [visaalert] While Key Food's statement may be technically accurate, it glosses over the reality that the stolen EMV data could still be used by fraudsters to create magnetic stripe versions of EMV cards presented at the compromised store registers in cases where the card-issuing bank hadn't implemented EMV correctly. Earlier today, fraud intelligence firm Gemini Advisory released a blog post with more information on recent merchant compromises -- including Key Food -- in which EMV transaction data was stolen and ended up for sale in underground shops that cater to card thieves. "The payment cards stolen during this breach were offered for sale in the dark web," Gemini explained. "Shortly after discovering this breach, several financial institutions confirmed that the cards compromised in this breach were all processed as EMV and did not rely on the magstripe as a fallback." Gemini says it has verified that another recent breach -- at a liquor store in Georgia -- also resulted in compromised EMV transaction data showing up for sale at dark web stores that sell stolen card data. As both Gemini and Visa have noted, in both cases proper iCVV verification from banks should render this intercepted EMV data useless to crooks. Gemini determined that due to the sheer number of stores affected, it's extremely unlikely the thieves involved in these breaches intercepted the EMV data using physically installed EMV card shimmers. "Given the extreme impracticality of this tactic, they likely used a different technique to remotely breach POS systems to collect enough EMV data to perform EMV-Bypass Cloning," the company wrote. Stas Alforov, Gemini's director of research and development, said financial institutions that aren't performing these checks risk losing the ability to notice when those cards are used for fraud. That's because many banks that have issued chip-based cards may assume that as long as those cards are used for chip transactions, there is virtually no risk that the cards will be cloned and sold in the underground. Hence, when these institutions are looking for patterns in fraudulent transactions to determine which merchants might be compromised by POS malware, they may completely discount any chip-based payments and focus only on those merchants at which a customer has swiped their card. "The card networks are catching on to the fact that there's a lot more EMV-based breaches happening right now," Alforov said. "The larger card issuers like Chase or Bank of America are indeed checking [for a mismatch between the iCVV and CVV], and will kick back transactions that don't match. But that is clearly not the case with some smaller institutions." For better or worse, we don't know which financial institutions have failed to properly implement the EMV standard. That's why it always pays to keep a close eye on your monthly statements, and report any unauthorized transactions immediately. If your institution lets you receive transaction alerts via text message, this can be a near real-time way to keep an eye out for such activity. [52] Tags: chip cards, cvv, Cyber R&D Labs, EMV, Gemini Advisory, iCVV, Key Food breach, POS malware, shimmers, skimmers, Stas Alforov, Visa This entry was posted on Thursday, July 30th, 2020 at 11:09 am and is filed under All About Skimmers, Latest Warnings, The Coming Storm. You can follow any comments to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed. 18 comments 1. [16ac] Bob Stromberg July 30, 2020 at 11:41 am 1. Is there a way to determine if a particular financial institution has implemented the EMV standard correctly? 2. More specifically, if a customer has a card issued by a small bank or credit union or store, is it that store that must implement the EMV standard, or the issuing card company (such as VISA or MasterCard)? 3. If a customer were to send a query to their financial institution, what specific EMV configuration would they ask for? Is it simply to check for a mismatch between the CVV and the iCVV? 4. Is there a way for the casual user to determine if their card data has been posted for sale on the dark web? Something akin to https://haveibeenpwned.com or https://haveibeenpwned.com/ Passwords 5. If a user has frozen their accounts at all three major credit reporting agencies (Equifax, Experian, and TransUnion), does it matter overmuch to the individual, for financial reasons, if a credit card has been hacked? The individual might just as well wait for the card issuer to send an alert about the hack, or a new card, 'cuz after all the financial hit to the individual can only be as much as $50 and is usually zero. Reply + [04b0] Matt Fahrner July 30, 2020 at 2:33 pm Honestly forget EMV - it's just broken. Even if the issuer handles the CVV/iCVV correctly, the fact that the majority of the card data can be copied after it leaves the PED (PIN pad) makes EMV false security. If nothing else it makes it ripe for card not present fraud. Really merchants should be implementing P2PE or E2EE with tokenization where the data is encrypted from the PED all the way to the issuer, without the merchant holding or having any capability to decrypt the card data at all and only being given a unique random "token" as a placeholder. It is still possible for a PED to be compromised, but since they have controlled handling, code signing, and are tamper proof under PCI requirements, it's a much less likely scenario. Reply 2. [ed35] The Sunshine State July 30, 2020 at 12:09 pm Another great informative article ! Reply 3. [c472] E.W. July 30, 2020 at 12:17 pm Thank you. I had no idea about the 3 distinct values: iCVV, CVV, and the printed one on the back of the card. It seems to me as if online merchants always refer to the printed one as the CVV. Reply + [aa70] r f July 30, 2020 at 12:45 pm I thought that was confusing. According to wikipedia the printed one is "a type of" CVV, i.e. CVV2 https://en.wikipedia.org/wiki/Card_security_code# Types_of_codes Reply + [07f5] Mike July 30, 2020 at 1:07 pm Same here. I didn't know there were multiple CVV values in different places and the only time I've seen CVV refereed to is during online transactions. Reply 4. [6a95] Julus July 30, 2020 at 12:52 pm Does the EMV chip still check the PIN locally? I feel it should be properly done with some type of zero knowledge proof based on hashing and a shared secret (HMAC sytle) or public/private key crypto? Yes it would take more time. Reply + [c470] tmiw July 30, 2020 at 1:31 pm US cards are generally chip and signature-not chip and PIN-so there's usually no PIN on the card to verify. And even if there is one, almost all such cards are set up such that signature/no verification is preferred whenever possible. (Debit cards have some complications due to how debit routing works in the US, but I still consider those chip and signature because the Visa/MC AID on those is set up as such. Not to mention that PIN entry can be skipped nearly everywhere that asks.) There's also the issue that a significant fraction of US merchant terminals simply can't or won't ask for PIN even if the card prefers it for verification, effectively downgrading chip and PIN cards to chip and signature anyway. YMMV with cards/terminals from other countries, of course. Reply o [e08b] JCitizen July 30, 2020 at 5:46 pm This is definitely true in my area; as I never put the PIN in, and in fact, most of the time a care giver is shopping for me and doesn't know the PIN anyway. However, I found out if there is the slightest damage or glitch on the chip, the bank will tear up the card right in front of me, when I report refused sales. So they got a pretty tight system after all. They just order a new card and I have to switch cards until the new one gets in. So far this has happened only once. Once PITA though is that merchants keep reporting their networks are down, almost as if they don't want to deal with the Chip-N-PIN nightmare they've inherited. I'm about to call the company head quarters on this - especially since our state health officials are trying to get people off cash transactions because of the COVID problem. Reply 5. [d9a3] EA July 30, 2020 at 1:05 pm It must be pointed out that in the US if you insert the card 3 times and comes back as 'can't read' then you can swipe it. Thus allowing the normal track card thieves to steal whatever anyways when doing in person transactions. Reply 6. [bd94] MattK July 30, 2020 at 1:07 pm I hope that if you discover which banks are not properly implementing the standard that you name and shame them. Reply 7. [24c1] Muffin July 30, 2020 at 1:43 pm Bryan says: If your institution lets you receive transaction alerts via text message, this can be a near real-time way to keep an eye out for such activity.--I have set an alert that every time my credit card is charged $1 or more, I get an alert via email. It's not a problem for me to get these emails. I just delete after confirming. Reply + [ea02] Jonathon July 30, 2020 at 3:41 pm I have set it up with my bank, with notifications all the way down to $1. I have put in a request to have all transactions sent to me, regardless of amount, so that I can catch any rogue charges. I have read that some card thieves can put in charges under a dollar to verify the validity of the card number, in prelude to a big charge. Since I have put maybe one sub-$1 charge on my card in 15 years, it's not like they will have to send many more messages to me, so I don't see why the minimum charge amount can't be set to the smallest possible publicly-traded amount (such as a single cent, as I doubt anyone who is not a fuel company needs single-mill notification). Reply 8. [3379] John Levine July 30, 2020 at 3:09 pm I believe that banks have the ability to reject swiped transactions from cards that are supposed to have a chip, which would make this fraud a lot harder, at least for in-person transactions. But they don't. They must be making a phenomenal amount from swipe fees to be able to eat all the fraud. As for the swipe after three failures thing, the response to that is just say no. If the terminal is broken it's broken and they should fix it or get a new one. Reply 9. [e57f] Sai N July 30, 2020 at 3:56 pm Regarding the near real-time alerts from banks of transactions just done, I have a credit card from Fidelity, where this is next to useless: a) The SMS message is almost always a day, 3 days or even later than the transaction b) To add to the confusion, a vast majority of the transactions sit in a pending state when I get into the app for the credit card c) The worst part is that when the messages do appear, they are almost completely meaningless - they only have the amount with almost always no context. These appear to be the vast majority of transactions, including most of my online transactions, periodic automatic transactions d) The exceptions are when the charges are online and the messages appear in near real-time. That's about the only time there is a context e) So long story short, I have to log onto the Credit Card app to see what charges of mine are in a pending state (and the messages haven't reached me) and what the meaning of the messages are that I have just received In comparison, Chase and Citi messages are within the app, always near real-time, and almost always with roughly meaningful context as to the vendor Reply 10. [068e] Dario July 30, 2020 at 4:23 pm I found that one of the visa emv rsa keys was 512bits and I was able to factor it in a week with cado nfs, then I reported my findings to visa. I'm still waiting for a reply and the key is still listed as valid. https://twitter.com/0x446172696f0a/status/1262170347505364992?s= 19 https://www.eftlab.com/knowledge-base/243-ca-public-keys/ Reply 11. [3513] L'wood July 30, 2020 at 4:54 pm The acronym for POS in these types of articles doesn't compute, maybe use PoS and that will be more understandable to simple dopes like me. Thank you, love your work and insight. Reply 12. [0077] Chris Cooper July 30, 2020 at 5:07 pm "The technology causes a unique encryption key -- referred to as a token or "cryptogram" -- to be generated each time the chip card interacts with a chip-capable payment terminal." It sounds like this is meant to refer to a dynamic iCVV, which is not a key, a token, or a cryptogram (which are all different things)? Reply Leave a comment Click here to cancel reply. Name (required)[ ] Email (required)[ ] Website[ ] Comment [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [Submit Comment] Advertisement [5] * [ ] [search_mag] [48] * Mailing List Subscribe here * Recent Posts + Is Your Chip Card Secure? Much Depends on Where You Bank + Here's Why Credit Card Fraud is Still a Thing + Business ID Theft Soars Amid COVID Closures + Thinking of a Cybersecurity Career? Read This + NY Charges First American Financial for Massive Data Leak * * All About Skimmers All About Skimmers Click image for my skimmer series. * Donate to Krebs On Security * Spam Nation Spam Nation A New York Times Bestseller! * * The Value of a Hacked PC valuehackedpc Badguy uses for your PC * Tools for a Safer PC Tools for a Safer PC Tools for a Safer PC * The Pharma Wars The Pharma Wars Spammers Duke it Out * Badguy Uses for Your Email Badguy Uses for Your Email Your email account may be worth far more than you imagine. * eBanking Best Practices eBanking Best Practices eBanking Best Practices for Businesses * Most Popular Posts + Sextortion Scam Uses Recipient's Hacked Passwords (1076) + Online Cheating Site AshleyMadison Hacked (798) + Sources: Target Investigating Data Breach (620) + Cards Stolen in Target Breach Flood Underground Markets (445) + Reports: Liberty Reserve Founder Arrested, Site Shuttered (416) + Was the Ashley Madison Database Leaked? (376) + True Goodbye: 'Using TrueCrypt Is Not Secure' (363) + Who Hacked Ashley Madison? (361) + Following the Money, ePassporte Edition (353) + U.S. Government Seizes LibertyReserve.com (315) * Category: Web Fraud 2.0 Criminnovations Innovations from the Underground * [shreddedID-copy-285x189] ID Protection Services Examined * Is Antivirus Dead? Is Antivirus Dead? The reasons for its decline * The Growing Tax Fraud Menace The Growing Tax Fraud Menace File 'em Before the Bad Guys Can * Inside a Carding Shop Inside a Carding Shop A crash course in carding. * Beware Social Security Fraud Beware Social Security Fraud Sign up, or Be Signed Up! * How Was Your Card Stolen? How Was Your Card Stolen? Finding out is not so easy. * Krebs's 3 Rules... Krebs's 3 Rules... ...For Online Safety. --------------------------------------------------------------------- (c) 2020 Krebs on Security. Powered by WordPress. Privacy Policy