Yet another story in yet another newspaper about yet another attack on EMV. Except this time the attack is real. What’s more, it is entirely feasible. And I know that it works in the mass market, because I actually executed just such an attack years ago (and owned up to it, of course!). Sadly, the decade-old hack that won’t work anymore. Well, that’s not completely true. It will work in one or two places. Why? Well…
The reason is that Latin America, an early adopter of EMV, is still heavily reliant on static data authentication chips, which allow the criminal using it to create usable new chip cards with the data it catches.
Wait, what? Creating usable EMV cards with skimmed data! But that’s impossible! Oh, hold on… Static Data Authentication (SDA). OK, fair enough. That is possible after all. Of course my colleagues at Consult Hyperion knew all about this many years ago, which is how come I came to prosecute just such an attack to demonstrate it one of our banking clients. I used our kit to make a bogus SDA card (a “yes card” on Multos white plastic, but I’ll redact the rest of the procedure!) and bought a train ticket with it at Guildford station. Then I took the card, the unopened PIN mailer, the ticket and the receipt to the head of cards at one of the UK’s biggest banks!
Anyway, although it was known about years ago I thought it would have been irresponsible to blog about it at the time, so I put it to one side and then, stimulated by a Brazilian, I finally wrote about it a couple of years ago, explaining in detail what the problem was and how it was fixed.
The cryptograms aren’t checked properly for, by and large, one of two reasons. It’s either because the bank hasn’t installed the necessary hardware and software to do it properly (this sometimes happens because they are pushed into issuing but don’t have the budget or time to do things correctly) or the bank does have the necessary infrastructure but the operations people get the IT people to ignore the cryptogram check as customers are getting annoyed with transactions being declined.
(Please don’t bother sending me emails about these points because I know the statements are gross oversimplifications!)
Now this isn’t a problem for any of the banks that we work with, since none of them use SDA and haven’t for a long time. But I’m unsympathetic to the banks that are still issuing SDA cards. Perhaps they made a poor choice of consultants to advise them on this, I don’t know, but just to be clear: the SDA threat is genuine and no-one should be issuing SDA cards.