Vulnerabilities / Threats

8/1/2011
10:33 AM
50%
50%

Legacy Support Leaves Chip-And-PIN Vulnerable

Black Hat talk will show that security and backwards compatibility are at odds in popular authentication technology.

Black Hat
Vulnerabilities in the increasingly popular chip-and-PIN authentication technology used in credit cards could make it easy for attackers to steal data at the point of sale, a researcher said.

At the Black Hat USA conference, a UBM TechWeb event, in Las Vegas this week, Andrea Barisani, chief security engineer for secure design consultancy Inverse Path, will join with colleagues to show how flaws in chip-and-PIN--which is becoming a standard in Europe and Asia--can be easily exploited.

Chip-and-PIN systems are designed to support legacy transactions--including the transmission of the card's password or PIN in plain text, Barisani observed. As a result, it can be a trivial matter for an attacker to install a skimmer on a point-of-sale terminal and steal the credit card data.

Barisani says these flaws can be found in current and emerging credit card systems, including the EuroPay-Mastercard-Visa (EMV) system that is being implemented worldwide. While EMV supports three types of cards--older magnetic stripe cards, current chip cards, and more secure chip cards--skimmers can force transactions to use the least secure transaction method, he warned.

"EMV is broken," Barisani said. "In order to fix the problem, they will have to change the standard and break compatibility with older cards."

EMV currently supports three different standards: static data authentication, an upgrade from older magstripe cards; dynamic data authentication, a more secure implementation that uses an encryption key to scramble transaction information; and combined data authentication, which implements more stringent security measures.

Attackers who can attach a skimming device to the point-of-sale (POS) terminal can control the security negotiation between the terminal and the consumer's credit card, Barisani explained. In order to support the older POS technologies, credit and debit cards will transmit a user's PIN in the clear if required by the terminal. A skimmer attacked to the device can then scoop up the details of the credit card.

Tampering with point-of-sale terminals has been a popular exploit among cybercriminals for years. In May, craft-supply chain Michaels notified customers that their credit- and debit-account details may have been leaked after finding more than 70 compromised POS terminals in its stores nationwide.

The chip-and-PIN flaws could be problematic for banks, which previously blamed users when a PIN was stolen or misused, clearing themselves of liability for the theft. But if the new vulnerabilities are exploited, the source of the PIN theft--and the liability for the loss--could be in question.

Read the rest of this article on Dark Reading.

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
Why Enterprises Can't Ignore Third-Party IoT-Related Risks
Charlie Miller, Senior Vice President, The Santa Fe Group,  5/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11232
PUBLISHED: 2018-05-18
The etm_setup_aux function in drivers/hwtracing/coresight/coresight-etm-perf.c in the Linux kernel before 4.10.2 allows attackers to cause a denial of service (panic) because a parameter is incorrectly used as a local variable.
CVE-2017-15855
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, the camera application triggers "user-memory-access" issue as the Camera CPP module Linux driver directly accesses the application provided buffer, which resides in u...
CVE-2018-3567
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing the HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP messages.
CVE-2018-3568
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, in __wlan_hdd_cfg80211_vendor_scan(), a buffer overwrite can potentially occur.
CVE-2018-5827
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing an extscan hotlist event.