Community

I know of two biometric payment schemes:

The first is the Net1 social grant distribution scheme. This is used in by the government in South Africa, to distribute welfare payments to citizens. While it is a special purpose payment system, it looks rather like a bank because it supports card-to-card payments, has an ATM infrastructure, and even incorporates a micro-lending scheme. Fingerprint recognition is used because citizens are familiar with it, may not be able to remember a PIN, and might have difficulty communicating with staff (due to the lack of a common language). By distributing payments via an ATM, using a smart card and fingerprint reader, only the recipient ever handles cash, and so the system reduces the risk of fraud by staff. This system was described in a talk by Keith Breckenridge, Professor of History and Internet Studies, University of KwaZulu-Natal, South Africa, in December 2007. The slides for his talk are online.

The second scheme is in Japan, and was described by Mitsutoshi Himaga of Hitachi-Omron, at the October 2008 ATM Security conference, organized by the ATM Industry Association. Hitachi-Omron are the manufacturers of a finger-vein detection scheme for ATMs, which he said was used by 81% of Japanese banks. They chose finger-vein detection because it is non-contact (reducing hygiene concerns and doesn't leave traces behind), is stable, and has acceptable error rates (failure to enrol rate: 0.08%; false match rate: 0.01% at 1.26% false non-match rate). The system is optional for customers, but they get a higher withdrawal limit if they opt in.

Thanks for the comment Adam. It seems that the task of detecting this attack is a bit more subtle than it first appeared.

Richard,

"Have you tried this attack against large foreign-currency exchange transactions?"

I haven't, because we have not been able to find such a place who would consent to us testing this attack, but we did try some fairly high-value transactions. I think the largest was £200, because that's all the BBC were willing to try. I do know that there are UK currency exchanges which will accept Chip & PIN, without having to hand over the card, and without presenting additional ID.

Richard,

We detail our experiments in our paper. We also discuss the ATM case in our blog post linked to above.

We did not try the equipment in an ATM (there are some logistical problems), but since I have been told that all UK ATMs use online PIN verification, this attack would not work. When I said you could get cash, I was referring to a foreign-currency exchange, for which this attack would work.

Jan-Olof,

CDA is not sufficient to prevent this attack, nor is online authorization. What is needed is for either the card or issuer to compare the CVMR against the CVR.

The UK banks claimed to do so, but our experiments showed that they did not. The question for other countries is whether they made the same mistake. I think the only way to find out is to perform a test on the live system.

Andy,

Thanks for your comments on this issue. You may also be interested to read the comments on my blog posts, at Finextra and Light Blue Touchpaper. You will see that there is quite a wide range of opinions on how this attack should be mitigated.

"Currently the CVMR data doesn’t always get passed from the acquirer to the issuer"

That is a very interesting point. So far we've been investigating the merchant to acquirer interface, and it seems that the CVMR (or equivalent) is commonly sent to the acquirer. However, if it is dropped by the time it gets to the issuer, this way of preventing the attack doesn't work any more.

Do you have any reference for this fact, so we could mention it in the updated version of our paper?

Hi Adam,

Are you referring to the ISO 8583 Point of service entry mode? I saw this mentioned in a blog post by Dave Birch. There is apparently a single-digit field which states how cardholder verification occurred, but I haven't been able to find out the encoding. That's yet another specification we should get (this one is £150, which is at least better than the £500 price tag on APACS 70).

Steven.

The US case is indeed very interesting, because the country is an outlier in several relevant dimensions.

In fact, I'm currently in Philadelphia, PA, having been invited to give the keynote at a Federal Reserve conference on payment system security. I'll be talking about this vulnerability, and others, but I hope to also learn a lot more about the US market.

"Why would anybody bother with a complex attack on chip and pin"

"1. stolen not yet blocked card"

"2. the card chip must be SDA or DDA and not CDA"

"3. The card product must be one that alows offline"

"4. The terminal must be offline PIN"

"5. preferrably the purchase need to be offline as well."

"Many of these circumstances are outside the control of the fraudster. This means that at best, the thief gets away with one or two trx per stolen card for a limited amount."

"Much easier to go on the internet and buy something easily sellable by just using somebody elses card number, since there are still a lot of web shops, acquirers and card issuers that do not require any security protocol, just the entry of the card number is enough."

Hi Jeremy,

I think there is a strong case for forcing EMV transactions to be online.

EMV was designed more than 15 years ago when one could not assume that terminals could be online. Now I think it would be much more reasonable.

This would greatly simplify the system, which would go a long way to preventing future problems. It would also lower the costs of the issuing process, and of the cards themselves.

Online-PIN is not such a clear decision however. Yes, it would prevent this vulnerability, but there is still the question of how to securely get the PIN back to the issuer. At least in the UK, the acquirer to merchant link is sometimes unencrypted.

With offline-PIN, the PIN is only sent between the terminal and the card (and is potentially encrypted). With online-PIN, the PIN block will be in the clear each time it is re-encrypted. There have been cases in the US where hardware security module security was breached, leaking the PIN blocks.

So I think a better end-to-end PIN encryption scheme is needed for online-PIN, before it should be recommended. This is certainly technically feasible, but I have not seen any concrete proposals for an EMV modification to support this.

Steven.