Vulnerabilities / Threats
8/1/2011
10:33 AM
Connect Directly
RSS
E-Mail
50%
50%

Legacy Support Leaves Chip-And-PIN Vulnerable

Black Hat talk will show that security and backwards compatibility are at odds in popular authentication technology.

Black Hat
Vulnerabilities in the increasingly popular chip-and-PIN authentication technology used in credit cards could make it easy for attackers to steal data at the point of sale, a researcher said.

At the Black Hat USA conference, a UBM TechWeb event, in Las Vegas this week, Andrea Barisani, chief security engineer for secure design consultancy Inverse Path, will join with colleagues to show how flaws in chip-and-PIN--which is becoming a standard in Europe and Asia--can be easily exploited.

Chip-and-PIN systems are designed to support legacy transactions--including the transmission of the card's password or PIN in plain text, Barisani observed. As a result, it can be a trivial matter for an attacker to install a skimmer on a point-of-sale terminal and steal the credit card data.

Barisani says these flaws can be found in current and emerging credit card systems, including the EuroPay-Mastercard-Visa (EMV) system that is being implemented worldwide. While EMV supports three types of cards--older magnetic stripe cards, current chip cards, and more secure chip cards--skimmers can force transactions to use the least secure transaction method, he warned.

"EMV is broken," Barisani said. "In order to fix the problem, they will have to change the standard and break compatibility with older cards."

EMV currently supports three different standards: static data authentication, an upgrade from older magstripe cards; dynamic data authentication, a more secure implementation that uses an encryption key to scramble transaction information; and combined data authentication, which implements more stringent security measures.

Attackers who can attach a skimming device to the point-of-sale (POS) terminal can control the security negotiation between the terminal and the consumer's credit card, Barisani explained. In order to support the older POS technologies, credit and debit cards will transmit a user's PIN in the clear if required by the terminal. A skimmer attacked to the device can then scoop up the details of the credit card.

Tampering with point-of-sale terminals has been a popular exploit among cybercriminals for years. In May, craft-supply chain Michaels notified customers that their credit- and debit-account details may have been leaked after finding more than 70 compromised POS terminals in its stores nationwide.

The chip-and-PIN flaws could be problematic for banks, which previously blamed users when a PIN was stolen or misused, clearing themselves of liability for the theft. But if the new vulnerabilities are exploited, the source of the PIN theft--and the liability for the loss--could be in question.

Read the rest of this article on Dark Reading.

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5242
Published: 2014-10-21
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.

CVE-2012-5243
Published: 2014-10-21
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.

CVE-2012-5702
Published: 2014-10-21
Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to i...

CVE-2013-7406
Published: 2014-10-21
SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2531
Published: 2014-10-21
SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the (1) NodeWorx , (2) SiteWorx, or (3) R...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.