VISA expels Heartland and RBS Worlday from the world of PCI

Wot?

Marite wrote:

Is EMV the solution to this problem? [As] long as there are POS or ATMs that accept mag-stripes, then the answer is no. This is also assuming that the chip cannot be cloned or cannot be tampered with. But just as the SDA has been subverted which prompted the French issuers to upgrade to DDA, cloning or tampering of the chip is not impossible.

Two things.

Firstly, to say that EMV doesn't fix the problem because ATMs still accept mag stripe is to misrepresent EMV.  The whole point of chip is that mag stripe is insecure.  Issuing cards with both EMV and mag stripe is a simple tradeoff of accessibility vs. security.  The  weaknesses in that hybrid system cannot be blamed on EMV; rather, they prove the need for chip don't they?!

Secondly, there is no absolute assumption that EMV chips "cannot be cloned".  The important thing is that they are much much harder to clone than mag stripe.  Nothing is perfect; there is an arms race going on.  Marite seems to think the upgrade from SDA to DDA is a sign of insecurity, but really it was a sign of continuous improvement.  

Can you point to a known example of the better DDA chips being subverted?

Hi Stephen, I was not blaming EMV. My point is that at the moment and for several reasons, some of which I mentioned, other countries choose not to implement chip and pin which means that the card acceptance in these countries is still predominantly mag-stripe based. I hope that I was able to explain why the mag-stripe is alive and well in th U.S.

I have not heard of a DDA cloning case. But no one can rule out that it cannot happen or at the very least, fraudsters will find a way to tamper with the chip. There's just not a business case at the moment for fraudsters to fully invest their time to subvert the chip when they can easily benefit from several weaknesses. In this particular case, the weakness was not only the exposure of the PIN-BLOCKS but also inadequate card management (daily limits and usage in multiple countries) on the side of Issuing.

OK, so the answer to the question "Is EMV the solution to this problem?" should be YES!  Take away the mag stripe and the vulnerability is mitigated.

And when you say "cloning or tampering of the chip is not impossible" without being able to point to an actual attack, then all you're doing is spreading FUD.  Any security technology can be said to be vulnerable.  That's just a statement of the bleeding obvious.  Yes, when EMV penetrates fully, criminals will concentrate on the chips.  But we all know that, and smartcard manufacturers have a long history of knowing and responding to threats (like differential power analysis, and timing analysis attacks).

Smartcards are smart; they can tell what's going on around them, and can be programmed and upgraded to respond to threats.  They provide a platform in which we can respond to criminals' attack modalities as the arms race evolves.  Mag stripe technology on the other hand is a dead end.  I'm surprised anyone would advocate extending it any further.

From AmericanBanker, January 30, 2009 :

""The U.S. is going to adopt EMV in about the same way the U.S. adopted the metric system — somewhere between kicking and screaming and not at all," said Ed Kountz, a senior analyst at the technology research company Forrester Research Inc. of Cambridge, Mass.

The cost of card fraud is not great enough to justify the expense of changing the enormous card-acceptance infrastructure nationwide, Mr. Kountz said. "It doesn't seem to have hit a tipping point where it's impossible to bear."

Kevin Gillick, the executive director of GlobalPlatform, a trade group for the smart card industry, also voiced doubt that contactless technology would open the door to EMV in this country, at least in the near future.

"America is not going to be moving to EMV, not anytime soon. The current infrastructure is considered secure enough and fraud losses are written off as a cost of doing business," Mr. Gillick said."

Stephen, your advocacy to EMV is understandable. For countries that issue only chip and pin, why don't they just remove the mag-stripe then? Don't you think that this is one way to protect non-US issued chip and pin cards?

But going back to the U.S., consider the following :

- consider the cost of issuing SDA chips. in addition to the $4.00 per chip cost to the issuer, one needs to consider the time and effort required to implement EMV. By the end of 2008, it is said that 48 million Discover cards and 47 million AMEX have been issued in the U.S. By end of 2006, there were 984 million visa and mastercard issued in the U.S. We're looking at approximately over $4 billion in the actual chip issuance cost alone.

- consider that the average interchange fee in the U.S. is 179 basis points (1.79%). compare this to the uk (european mif) rate, which went down to 79 basis points because of chip and pin.

- consider the investment on the merchant/acquiring side to upgrade all the atms and terminals in the U.S. A certain effect would be a demand to slice the interchange fees to the same level as Europe's. 

- consider that in 2007, U.S. issuers earned $42 billion in interchange fees. That's approximately $38.18 per card. If interchange fees were to go as low as europe's, then you would be looking at $18.5 billion which would be approximately $16.8 interchange fees earned per card.

- consider that by end of 2006, total card fraud losses were estimated to $990 million approximately 90 cents per card. Compare this with the cost of issuing chip and the potential loss of interchange fee revenue, then perhaps one can understand why the mag-stripe’s life is extended in the U.S.

"$4.00 per chip cost to the issuer" now that is what I call card fraud!

Where have you got that number from?

From a business presentation given by a vendor. 

EMV - DES, single app, SDA - $1.00

EMV - PK, single app, SDA/DDA  - $2.00

SDA, multi-appl - $3.50

SDA/DDA, multi-app / contactless - $4.00

So rather than use the correct number you to chose to go for the price attributed to a multi app contactless card? 

$1 per card is about right - to say the cost for SDA is $4 is misleading to say the least, no wonder the US business case doesn't stack up if this is the way it's prepared!

why would you recommend SDA!?

That pricing is just the cost of issuance and its not my pricing. There's more work and money involved on the acceptance side. The hard sell is for contactless DDA since 'they' think that contactless might precipitate the move to EMV. 

Misleading? I dont think so. But don't shoot me, I'm just the messenger. I do not sell smartcards.

" consider the cost of issuing SDA chips. in addition to the $4.00 per chip cost to the issuer"

Marite, I did not recommend SDA or express any opinion on what the right solution is, I merely pointed out a flaw in your argument. You stated that SDA costs $4 per chip - this is incorrect and misleading, as your own figures clearly show.

I don't sell chips either, I just like informed debate which presents facts correctly.

Oh I see. I apologize. My error! I meant DDA! Typed too fast and didn't have time to proof. -marite

"* One personal observation relates to T&E card transactions. For example, restaurant bills in the U.S. are not totaled and require signatures. The tip is always added to the bill and the cardholder can enter any tip amount he wants to give to the server, then sign. I might add that in the U.S., tips MUST be added! How can you possibly do this with a hand-held terminal that a server in Europe carry around with him/her?"

This is already done in Norway. The customer inserts (or swipes) the card in the hand-held terminal, the amount without tip is displayed, the customer enters the total amount including tip and finally enters the PIN-code.

Sweden is about to implement the same behaviour.

"* With the lack of pin-codes, fraudsters would have to not only clone the mag-stripes but must also do way beyond white-plastic fraud. In addition to creating authentic looking cards (with the bank logo, embossed card number and name), fraudsters must also come up with an official-looking ID card to match the name on the fake card."

As far as I know, Visa/MasterCard does not require the cashier to check the ID-card. The requirement is only to check that the signature on the receipt match the signature on the payment card.

In Sweden, ID-cards are typically only required for amounts above ~€20, but not for foreign cards. However, it's very rare to see a cashier match the signature on the receipt with the signature on the payment card. The customer will usually get the payment card back before signing the receipt.

In Norway you are only required to check the ID card for offline purchases (which rarely happens) and then the ID is usually printed on the back of the payment card.

Most payments in Scandinavia are made online with PIN verification though.

It would be interesting to see some statistics about the various national rules/practices regarding ID check and signature matching.

Thanks for all that detail Marite, but it's a strawman.

You asked rhetorically at the start whether EMV can fix a particular fraud problem.  You said no. 

One of the weaknesses in your argument was that you conceive of "EMV" cards as still having magnetic stripes.  So to be fair, EMV (chip) really would fix the problem.

Then you changed tack, and argued that EMV is hard to get going in the US.  Fair enough, yet the answer to the question Would EMV fix the fraud problem? is still yes.  

We need to separate the technical issues and the business issues in these debates.  Most online identity fraud modalities are based on the same underlying vulnerability: personal data (the lifeblood of e-business) is replayable, and receivers find it difficult to tell the data's pedigree.  To fix this problem properly we need new ID technologies.  If the business case for switching to new technologies cannot yet be made, then so be it.  In the interim, you can try to squeeze more life out of magnetic stripe cards, or try other stop-gap fixes.  But if you're trying to position some alternative to chip, then you need to be clear about how it compares on business criteria and how it compares on technology criteria, and not get them all mixed up in a messy and exagerated anti-EMV rant.

I think I was far from ranting as I brought out the numbers that decision-makers look at in the course of making business decisions. 

One size does not fit all. Again, your passion for EMV is understandable but there are other solutions that can work better than EMV in other situations. Saying this does not mean that I am anti-EMV, which you seem to think that I am. I see a lot of use for the chip and pin. We do work with EMV! We have it incorporated into our of our products! It would be foolish of me, or for anyone for that matter to be anti any solution / system that benefits the market.

My as you say 'messy' explanation of why the U.S. is clinging on to mag-stripe should help answer the frequent questions of why americans are still doing signature.

In 2006, reports state $1 billion of U.S. card fraud for a volume of $1,530 billion. Even I did a 'double-take' on these numbers. Compare this to 2007 APACS numbers : £0.535 billion of card fraud for a volume of £224 billion and even I suspected that $1 billion of card fraud in the U.S. is a gross understatement. Then I realized that card usage and payment behaviour might also have a lot to do with maintaining a low level of fraud (less pin, less fraud).

The current reality of it is that it would be better to think of other (as you say) 'stop-gap' fixes while the chip and pin industry can think of a way to make the business case for EMV attractive to U.S. businesses. As it stands, a change in payment security can offset and upset existing revenue streams. For example, the European implementation of chip and pin resulted to a decrease in card issuing revenues specially for issuing banks that did not charge card annual fees.

It is always my intent to expose possible explanations to questions and issues related to card, payment and online security or at the very least start a healthy discussion which I hope is also informational. I do apologize for what you call my 'mess' and 'rant' but I thank anyone that contributes to this discussion.  :-) cheers, Marite

"As far as I know, Visa/MasterCard does not require the cashier to check the ID-card. The requirement is only to check that the signature on the receipt match the signature on the payment card."

There might be some transactions where the cashier forgets to check but VISA/Mastercard always required that the signature be checked. However with recent changes in the U.S., pin/signature is waived for small transaction amounts.

1. EMV terminals in restaurants in the UK are able to do that tipping thing - provided the functionality is turned on.  All terminals aimed at the restaurant (and similar) trade are certified for this by the acquirers.

2. I will ask the question again - does anyone know how this fraud was facilitated?  I don't mean tell me how to do it, I mean explain the principles, as I can't see how all of this could have been put together - it makes no sense!!!  And if it is a news item without substance, then we are all looking at issues that don't actually exist.

3. And I still don't get where the PINs came from.

We've been asking the same questions of RBS, but the bank has adopted an ultra-firm no comment policy. The fact that they don't deny the substance of the story outright, or try to massage perceptions, indicates a very serious breach.

Hi David,

The PIN-Blocks, offset were compromised. It's called Pin-block hacking. This is nothing new. It has happened before. This can be done by hacking the server or network tapping. 

The lifting of the daily limits can be done by changing the service codes and track 3 prior to encoding it AND if there isn't a check done on the issuing level's authorization (or the  stand-in). 

Hey ...

So PIN block hacking takes place as the authorisation request is on its way through the acquirers' systems, en route to multiple issuers; because clearly the acquirer won't be storing the PIN blocks, and the hackers will be hard pushed to infiltrate multiple issuer hosts.  Or is the PIN block hacking you are referring to that which applies to issuer databases - which is what I suspect?  But if they are hacking multiple issuer databases, they will need multiple issuer keys - it's one thing to have a single vulnerability at a single acquirer, but something completely different to have the same vulnerability across multiple financial institutions.  That would be corporate stupidity on a massive scale!  No matter, the weakness in all of these cases is the apparent availability of the keys / algorithms necessary to retrieve the PINs from the PIN blocks.

I thought the use of track 3 was consigned to the scrap-heap in the 1970s and 1980s.  I began working with ATMs in 1986, and the use of track 3 was long gone then - unless it was one of those banking secrets and I wasn't one of those who needed no knpow.  However, if there are numptie (intellectually challenged) banks that are still supporting this as a means of limiting cash withdrawals, especially in a global ATM environment that demands online authorisations, originating in a nation that requires all transactions to be authorised online, then I guess they deserve all they get.

So this fraud looks like it was the result of transaction sniffing on unencrypted acquirer communication lines [non card related security issue], with easy access to the acquirer working keys (which should be different for each ATM) [non card related security issue], and the ability to override the requirement for online authorisation [non card related security issue], not to mention the use of track 3 as a withdrawal restriction mechanism [I'm not sure if this is a card-related issue or not].

I have no reason to doubt Marite's knowledge of the US payments landscape, and assuming it is all true, it seems to me that the banks got exactly what they deserved - and long may it continue.  This is the banking mentality that is resisting the adoption of EMV, on the grounds that it is expensive, it doesn't do the job, and anyhow, there aren't any problems with transactions in the US.  

All that remains to be said I think, is: International Liability Shift - bring it on!

You're right. Track 3 is suppposed to be a dead track. But in case it's still encoded, that's where the amount per cycle and international capability are tagged. The service code in track 2 helps determine the ATM and international capability as well. What happened sounds like the fraudsters did a bit of research and experimentation prior to the 30 minute caper to find out 'which' did not properly check amount per cycle; amount remaining in this cycle,... 

So ...

does anyone know of any ATM anywhere in the world that dispenses cash based on offline authorisations against track 3?