Dont Overestimate EMV Protections, Underestimate Card Thief Sophistication

  /     /     /  
Publicated : 22/11/2024   Category : security


Dont Overestimate EMV Protections, Underestimate Card Thief Sophistication


At Black Hat, an AccessData researcher will offer up a crash course in card payment tech and protections to root out security community misconceptions



Even in the wake of massive breaches and losses from credit card merchants and processors, many security practitioners today still hold a lot of misconceptions about how credit card processing systems and protection mechanisms work. Next month at Black Hat, one researcher plans to hold a crash course for security professionals that debunks some commonly held fallacies and clears up why card thieves have been so successful even as card security awareness has risen in the era of PCI.
Id say the biggest misconceptions in the security community [are] an overestimation of the protection that EMV provides, an underestimation of the skill of the attackers and a lack of understanding about how many systems that card data passes through when theyre processed that are vulnerable to interception of data, says Lucas Zaichkowsky, enterprise defense architect for the forensics and security firm AccessData, who will lead a talk on point-of-sale (POS) architecture and security.
In particular, Zaichkowsky will dedicate a significant chunk of time in his briefing discussing EMV chips, the successor to the traditional magnetic stripes; EMV was introduced in recent years to lower the rate of card fraud.
Everyone talks about how EMV will save the day, but the truth is that the primary purpose of EMV is just to make it so that the card cannot be cloned. When you do an EMV read of a card on a POS terminal, it will pass your card number and expiration in plain text, your name in plain text, he says, and even the track two data is almost exactly the same as a mag stripe card, with the only difference being that three-digit CVV code in the middle of the track data.
As he explains, thats not a flaw or an exploitation, it is just how it works by design. To demonstrate this, hell plan on doing live demos during his talk of magnetic card swipes compared to EMV card swipes and how they look on the back end.
This is not some kind of big vulnerability that no one knows about, he says. The proponents of EMV either dont understand it or theyre some special interest group thats pushing it through because thats their job and they just kind of skirt around telling people that by the way, you should encrypt this stuff because it has the card number and expiration data in plain text.
Hell also offer up some visual charts of how the data flow works, from USB-powered card reader to POS terminal, to back-end store servers, to processing company systems and HSM modules, to card company systems and finally to banks, and all the way back through the chain again that data must flow through in order for a card to be processed for any given transaction. Through that explanation, hell point out the weakest points in the ecosystem and sometimes even some strong points that security professionals may not be aware of. For example security pros may not know that PIN pad devices are actually extremely secure on the merchant side because that data is strongly encrypted and the keys are not stored with the merchant but instead are in a hardware security module (HSM) held by the card processor.
However, if attackers can find a way to attack that card processors HSM, they may hold keys for all of the merchant PIN data held by the processor.
And thats often the exact tack that many sophisticated card-thieving criminals will take, illustrating one of Zaichkowskys other big points of the briefing. A good example of how this can happen is the breach at RBS Worldpay, where attackers brute-force attacked the HSM there to gain access to PINs processed for customers.
These criminals understand all this stuff and how these payment system components interoperate, he says. They get how these HSMs are designed, theyll get the manuals for these components, read them, program to them and they understand point-of-sale environments very well. Theyre highly skilled and they know what theyre doing.

Last News

▸ New threat discovered: Mobile phone ownership compromised. ◂
Discovered: 23/12/2024
Category: security

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Dont Overestimate EMV Protections, Underestimate Card Thief Sophistication