Rather than increased emphasis on the card, or even the way we pay, more needs to be done to secure the terminal through which the transaction is processed.
As terminals get more complicated and can interact in more ways (bluetooth, cellular, NFC, chip) making sure that the software security on terminals is accounting for the new attack vectors is crucial. Producers, providers and maintainers of terminals need to ensure that software security is rigorously assessed on terminals and that threat models take new ways of attacking into account. Somewhat challenging is that tooling to support some of this assessment doesn’t exist or is easily accessible.
Traditional magnetic strip (magstripe) and signature based payment has suffered from fraud as it is relatively easy to create a cloned card. A simple swipe of a known good card and the fraudster is able to put whatever signature they choose on the new card. Additionally, if a card is stolen or found, it is easy for most people to make a passing forgery of the authorized signature as well, meaning that until the card is cancelled, it can be easily abused.
With Chip and PIN, the card contains cryptographic material that cannot be copied by anything interacting with the card such as a reader. The PIN is known only to the card holder and issuer and so allows financial organizations to have faith that the card holder was truly present for the transaction. This allows the burden of fraud to be pushed onto the card holder, in some circumstances, as it requires the disclosure in some form of the card PIN.
Chip and PIN has been widely adopted in the EU and seen uptake and awareness by consumers. Furthermore, banks have been able to use the Chip and PIN cards as authentication for online banking to provide one time tokens, further reducing online fraud.
To support the new cards, updated payment terminals are being rolled out. Payment terminals are hardened against a number of threats, particularly physical tampering. However, magstripe data is typically simple and attacks on terminals from malicious cards were not considered likely. With the introduction of Chip and PIN, terminals receive a lot more data from the chip on the card and the card can, to an extent, dictate what information it sends.
MWR InfoSecurity found that when assessing a number of popular payment terminals in 2012 that there were widespread software issues in terminals that allowed a malicious card to compromise the terminal. Such an attack allows an attacker to, for example, make it appear that a transaction had been approved or leave malicious code running on the terminal to collect card numbers and PINs.
Further research by MWR in 2014 found issues with mobile Point of Sale (mPOS) devices that provide card interaction hardware to tablets and mobile devices. An attacker could compromise these devices similarly to "full" chip and PIN terminals.
David Chismon is a senior consultant at MWR InfoSecurity.
