Vulnerabilities / Threats
8/1/2011
10:33 AM
50%
50%

Legacy Support Leaves Chip-And-PIN Vulnerable

Black Hat talk will show that security and backwards compatibility are at odds in popular authentication technology.

Black Hat
Vulnerabilities in the increasingly popular chip-and-PIN authentication technology used in credit cards could make it easy for attackers to steal data at the point of sale, a researcher said.

At the Black Hat USA conference, a UBM TechWeb event, in Las Vegas this week, Andrea Barisani, chief security engineer for secure design consultancy Inverse Path, will join with colleagues to show how flaws in chip-and-PIN--which is becoming a standard in Europe and Asia--can be easily exploited.

Chip-and-PIN systems are designed to support legacy transactions--including the transmission of the card's password or PIN in plain text, Barisani observed. As a result, it can be a trivial matter for an attacker to install a skimmer on a point-of-sale terminal and steal the credit card data.

Barisani says these flaws can be found in current and emerging credit card systems, including the EuroPay-Mastercard-Visa (EMV) system that is being implemented worldwide. While EMV supports three types of cards--older magnetic stripe cards, current chip cards, and more secure chip cards--skimmers can force transactions to use the least secure transaction method, he warned.

"EMV is broken," Barisani said. "In order to fix the problem, they will have to change the standard and break compatibility with older cards."

EMV currently supports three different standards: static data authentication, an upgrade from older magstripe cards; dynamic data authentication, a more secure implementation that uses an encryption key to scramble transaction information; and combined data authentication, which implements more stringent security measures.

Attackers who can attach a skimming device to the point-of-sale (POS) terminal can control the security negotiation between the terminal and the consumer's credit card, Barisani explained. In order to support the older POS technologies, credit and debit cards will transmit a user's PIN in the clear if required by the terminal. A skimmer attacked to the device can then scoop up the details of the credit card.

Tampering with point-of-sale terminals has been a popular exploit among cybercriminals for years. In May, craft-supply chain Michaels notified customers that their credit- and debit-account details may have been leaked after finding more than 70 compromised POS terminals in its stores nationwide.

The chip-and-PIN flaws could be problematic for banks, which previously blamed users when a PIN was stolen or misused, clearing themselves of liability for the theft. But if the new vulnerabilities are exploited, the source of the PIN theft--and the liability for the loss--could be in question.

Read the rest of this article on Dark Reading.

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1978
Published: 2015-05-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Simple PHP Agenda 2.2.8 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator via a request to auth/process.php, (2) delete an administrator via a request to auth/admi...

CVE-2015-0741
Published: 2015-05-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Cisco Prime Central for Hosted Collaboration Solution (PC4HCS) 10.6(1) and earlier allow remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCut04596.

CVE-2015-0742
Published: 2015-05-21
The Protocol Independent Multicast (PIM) application in Cisco Adaptive Security Appliance (ASA) Software 9.2(0.0), 9.2(0.104), 9.2(3.1), 9.2(3.4), 9.3(1.105), 9.3(2.100), 9.4(0.115), 100.13(0.21), 100.13(20.3), 100.13(21.9), and 100.14(1.1) does not properly implement multicast-forwarding registrati...

CVE-2015-0746
Published: 2015-05-21
The REST API in Cisco Access Control Server (ACS) 5.5(0.46.2) allows remote attackers to cause a denial of service (API outage) by sending many requests, aka Bug ID CSCut62022.

CVE-2015-0915
Published: 2015-05-21
Cross-site scripting (XSS) vulnerability in RAKUS MailDealer 11.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted attachment filename.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.