Blog article
See all stories »

An article relating to this blog post on Finextra:

Visa pulls Heartland and RBS WorldPay from PCI DSS compliance list

In the wake of revelations about major data breaches, Heartland Payments Systems and RBS WorldPay have been removed from Visa's list of Payment Card Industry Data Security Standard (PCI DSS) compliant...


See article

VISA expels Heartland and RBS Worlday from the world of PCI

In one report, RBS admitted that a hacker penetrated a server at their payment processing unit. No one has really provided the details as to how the wise-guys got a hold of the pin-codes. 

My theory is that RBS kept authorization message data that enabled the wise-guys to get the customer pins. Assuming of course that RBS did not store the clear text value of the pin-codes entered, one guess is that the pin-blocks and offsets (since cards in the US are pin-configurable) were logged and stored by RBS. This is called ‘pin block’ hacking. 

Although the PIN BLOCK value is a result of a transformation and encryption, keeping this data in a server compromises the customer pin code. What if the hacker also ran through ‘his own’ card and extracted the resulting pin block from his own transaction? Or what if the wise-guy tapped a couple of pin-codes from specific ATMs or POS terminals that use RBS as a processor and extracted the corresponding pin blocks stored by RBS? That would be a way to get the AWK (acquiring working key). But if the hacker already had the AWK, then the customer pin-codes can be programatically obtained from the PIN-blocks. There are other simple ways to determine the customer pin-codes, sometimes depending if the atm is owned by the same issuing bank and by using the offset value if the payment processor is different from the issuing bank.

And whether or not RBS stored these pin-blocks, RBS needed to receive them, decrypt them, encrypt them again and send them to the Issuing Banks especially if RBS is not working as a stand-in for the Issuing Banks. The transmission of pin-blocks from the ATM or POS to RBS, then RBS to the Issuing Banks are all points where pin-blocks can be compromised. One report actually stated it was network tapping and not server hacking.

So now that we can reasonably assume that PIN BLOCKS were compromised, the next question is how could they have possibly gotten away with $9 million with cloning 100 cards and using them in 49 cities in about 30 minutes? That’s $90,000 per card account. Well they did say 100 cards cloned but this does not tell us how many times each card account got replicated. One report also says that the hacker was able to remove the daily withdrawal limits of the cloned cards. The person or persons that did this have knowledge of 7813 or the issuing banks' daily limit check processing or both. Either they picked cards that had no restrictions or they were smart enough to change the service codes and some data in track 3 to remove the daily withdrawal limits and geographical zone usage restriction, in the process of encoding the cloned mag-stripes with the slight modifications. Other parameters (which I would rather not say in detail) can also be changed.

In addition, some reports say that fake deposits were used to ‘load’ the balance on these payroll cards. Well, this is another loophole that has more to do with the acceptance, clearance of deposits and the checking of daily limits by the issuing bank’s authorization system. This is where user limits (or customizable controls by the bank’s risk mgmt team with direct input from cardholders) could have prevented such a payout for the fraudsters.

Is the magnetic-stripe the culprit? I am of the opinion that you can actually use a non-chip card (with just a mag-stripe) and secure it strongly with one-time pin-codes that are validated by the issuing bank’s server. No matter how many times the mag-stripe is copied or cloned, the card account cannot be used without the input of a valid one time use pin-code that has a limited life and is not replayable. Enabling the easy management and customization of card account features (limits and prohibitions) such as daily withdrawal limits on the issuing bank’s authorization level  (even better with input from the actual cardholder), can prevent the $9-million-in-30-minutes-heist. Therefore, the resulting damage could have been a mere fraction of this if the limit and prohibitions were properly set on the issuing banks' level and tested on a real-time basis. Perhaps, RBS and Heartland can respectfully point this out on their way to the gallows.

Is EMV the solution to this problem? Answer to this is simply as long as there are POS or ATMs that accept mag-stripes, then the answer is no. This is also assuming that the chip cannot be cloned or cannot be tampered with. But just as the SDA has been subverted which prompted the French issuers to upgrade to DDA, cloning or tampering of the chip is not impossible. Like with any project, it all depends on how much profit one can get out of a project that results into the successful cloning or tampering of the chip. At this time, there are enough mag-stripes and readers and other loopholes that the fraudsters can use. I suspect that work is already underway to successfully duplicate the chip or tamper with the chip.

It is difficult for Europeans to understand the seemingly obstinate Americans who prefer to sign their card payments. One would have had to live there to understand the many reasons why this is so. But here are some of the reasons for mag-stripe and signature.

* In the U.S., federal banking regulations do not require banks to offer the same protection on debit-card (pin-based) theft  as they do on credit-card (signature-based) theft. Consumers are advised to avoid using the PIN but to use the debit card as a credit card (which is signed).

* In the U.S., a consumer has 9 cards on the average. Imagine 9 different pin-codes for 9 cards!

* One personal observation relates to T&E card transactions. For example, restaurant bills in the U.S. are not totaled and require signatures. The tip is always added to the bill and the cardholder can enter any tip amount he wants to give to the server, then sign. I might add that in the U.S., tips MUST be added! How can you possibly do this with a hand-held terminal that a server in Europe carry around with him/her?

* With the lack of pin-codes, fraudsters would have to not only clone the mag-stripes but must also do way beyond white-plastic fraud. In addition to creating authentic looking cards (with the bank logo, embossed card number and name), fraudsters must also come up with an official-looking ID card to match the name on the fake card.

* Without a pin, the card is useless to fraudsters that want to do cash withdrawals.

* You might say that Americans still do need to withdraw cash from the ATM machines. Well, funny thing is that in the U.S., card schemes explicitly prohibit merchants from requiring minimum credit card charges. Now that I think of it, I hardly had any cash with me while I lived in the Bay Area. Anyway, enough of them Americans…

6521

Comments: (21)

A Finextra member
A Finextra member 18 March, 2009, 16:54Be the first to give this comment the thumbs up 0 likes

Wot?

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 18 March, 2009, 18:34Be the first to give this comment the thumbs up 0 likes

Marite wrote:

Is EMV the solution to this problem? [As] long as there are POS or ATMs that accept mag-stripes, then the answer is no. This is also assuming that the chip cannot be cloned or cannot be tampered with. But just as the SDA has been subverted which prompted the French issuers to upgrade to DDA, cloning or tampering of the chip is not impossible.

Two things.

Firstly, to say that EMV doesn't fix the problem because ATMs still accept mag stripe is to misrepresent EMV.  The whole point of chip is that mag stripe is insecure.  Issuing cards with both EMV and mag stripe is a simple tradeoff of accessibility vs. security.  The  weaknesses in that hybrid system cannot be blamed on EMV; rather, they prove the need for chip don't they?!

Secondly, there is no absolute assumption that EMV chips "cannot be cloned".  The important thing is that they are much much harder to clone than mag stripe.  Nothing is perfect; there is an arms race going on.  Marite seems to think the upgrade from SDA to DDA is a sign of insecurity, but really it was a sign of continuous improvement.  

Can you point to a known example of the better DDA chips being subverted?

A Finextra member
A Finextra member 18 March, 2009, 19:24Be the first to give this comment the thumbs up 0 likes

Hi Stephen, I was not blaming EMV. My point is that at the moment and for several reasons, some of which I mentioned, other countries choose not to implement chip and pin which means that the card acceptance in these countries is still predominantly mag-stripe based. I hope that I was able to explain why the mag-stripe is alive and well in th U.S.

I have not heard of a DDA cloning case. But no one can rule out that it cannot happen or at the very least, fraudsters will find a way to tamper with the chip. There's just not a business case at the moment for fraudsters to fully invest their time to subvert the chip when they can easily benefit from several weaknesses. In this particular case, the weakness was not only the exposure of the PIN-BLOCKS but also inadequate card management (daily limits and usage in multiple countries) on the side of Issuing.

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 19 March, 2009, 00:12Be the first to give this comment the thumbs up 0 likes

OK, so the answer to the question "Is EMV the solution to this problem?" should be YES!  Take away the mag stripe and the vulnerability is mitigated.

And when you say "cloning or tampering of the chip is not impossible" without being able to point to an actual attack, then all you're doing is spreading FUD.  Any security technology can be said to be vulnerable.  That's just a statement of the bleeding obvious.  Yes, when EMV penetrates fully, criminals will concentrate on the chips.  But we all know that, and smartcard manufacturers have a long history of knowing and responding to threats (like differential power analysis, and timing analysis attacks).

Smartcards are smart; they can tell what's going on around them, and can be programmed and upgraded to respond to threats.  They provide a platform in which we can respond to criminals' attack modalities as the arms race evolves.  Mag stripe technology on the other hand is a dead end.  I'm surprised anyone would advocate extending it any further.

A Finextra member
A Finextra member 19 March, 2009, 10:01Be the first to give this comment the thumbs up 0 likes

 

From AmericanBanker, January 30, 2009 :

""The U.S. is going to adopt EMV in about the same way the U.S. adopted the metric system — somewhere between kicking and screaming and not at all," said Ed Kountz, a senior analyst at the technology research company Forrester Research Inc. of Cambridge, Mass.

The cost of card fraud is not great enough to justify the expense of changing the enormous card-acceptance infrastructure nationwide, Mr. Kountz said. "It doesn't seem to have hit a tipping point where it's impossible to bear."

Kevin Gillick, the executive director of GlobalPlatform, a trade group for the smart card industry, also voiced doubt that contactless technology would open the door to EMV in this country, at least in the near future.

"America is not going to be moving to EMV, not anytime soon. The current infrastructure is considered secure enough and fraud losses are written off as a cost of doing business," Mr. Gillick said."

Stephen, your advocacy to EMV is understandable. For countries that issue only chip and pin, why don't they just remove the mag-stripe then? Don't you think that this is one way to protect non-US issued chip and pin cards?

But going back to the U.S., consider the following :

- consider the cost of issuing SDA chips. in addition to the $4.00 per chip cost to the issuer, one needs to consider the time and effort required to implement EMV. By the end of 2008, it is said that 48 million Discover cards and 47 million AMEX have been issued in the U.S. By end of 2006, there were 984 million visa and mastercard issued in the U.S. We're looking at approximately over $4 billion in the actual chip issuance cost alone.

- consider that the average interchange fee in the U.S. is 179 basis points (1.79%). compare this to the uk (european mif) rate, which went down to 79 basis points because of chip and pin.

- consider the investment on the merchant/acquiring side to upgrade all the atms and terminals in the U.S. A certain effect would be a demand to slice the interchange fees to the same level as Europe's. 

- consider that in 2007, U.S. issuers earned $42 billion in interchange fees. That's approximately $38.18 per card. If interchange fees were to go as low as europe's, then you would be looking at $18.5 billion which would be approximately $16.8 interchange fees earned per card.

- consider that by end of 2006, total card fraud losses were estimated to $990 million approximately 90 cents per card. Compare this with the cost of issuing chip and the potential loss of interchange fee revenue, then perhaps one can understand why the mag-stripe’s life is extended in the U.S.

 

Joe Pitcher
Joe Pitcher - Irrelevant - Wirral 19 March, 2009, 11:25Be the first to give this comment the thumbs up 0 likes

"$4.00 per chip cost to the issuer" now that is what I call card fraud!

Where have you got that number from?

A Finextra member
A Finextra member 19 March, 2009, 11:36Be the first to give this comment the thumbs up 0 likes

From a business presentation given by a vendor. 

EMV - DES, single app, SDA - $1.00

EMV - PK, single app, SDA/DDA  - $2.00

SDA, multi-appl - $3.50

SDA/DDA, multi-app / contactless - $4.00

Joe Pitcher
Joe Pitcher - Irrelevant - Wirral 19 March, 2009, 11:54Be the first to give this comment the thumbs up 0 likes

So rather than use the correct number you to chose to go for the price attributed to a multi app contactless card? 

$1 per card is about right - to say the cost for SDA is $4 is misleading to say the least, no wonder the US business case doesn't stack up if this is the way it's prepared!

A Finextra member
A Finextra member 19 March, 2009, 12:01Be the first to give this comment the thumbs up 0 likes

why would you recommend SDA!?

That pricing is just the cost of issuance and its not my pricing. There's more work and money involved on the acceptance side. The hard sell is for contactless DDA since 'they' think that contactless might precipitate the move to EMV. 

Misleading? I dont think so. But don't shoot me, I'm just the messenger. I do not sell smartcards.

Joe Pitcher
Joe Pitcher - Irrelevant - Wirral 19 March, 2009, 16:05Be the first to give this comment the thumbs up 0 likes

" consider the cost of issuing SDA chips. in addition to the $4.00 per chip cost to the issuer"

 

Marite, I did not recommend SDA or express any opinion on what the right solution is, I merely pointed out a flaw in your argument. You stated that SDA costs $4 per chip - this is incorrect and misleading, as your own figures clearly show.

I don't sell chips either, I just like informed debate which presents facts correctly.

 

A Finextra member
A Finextra member 19 March, 2009, 16:37Be the first to give this comment the thumbs up 0 likes

Oh I see. I apologize. My error! I meant DDA! Typed too fast and didn't have time to proof. -marite

Adam Nybäck
Adam Nybäck - Anyro - Stockholm 19 March, 2009, 22:16Be the first to give this comment the thumbs up 0 likes

"* One personal observation relates to T&E card transactions. For example, restaurant bills in the U.S. are not totaled and require signatures. The tip is always added to the bill and the cardholder can enter any tip amount he wants to give to the server, then sign. I might add that in the U.S., tips MUST be added! How can you possibly do this with a hand-held terminal that a server in Europe carry around with him/her?"

This is already done in Norway. The customer inserts (or swipes) the card in the hand-held terminal, the amount without tip is displayed, the customer enters the total amount including tip and finally enters the PIN-code.

Sweden is about to implement the same behaviour.

 

"* With the lack of pin-codes, fraudsters would have to not only clone the mag-stripes but must also do way beyond white-plastic fraud. In addition to creating authentic looking cards (with the bank logo, embossed card number and name), fraudsters must also come up with an official-looking ID card to match the name on the fake card."

As far as I know, Visa/MasterCard does not require the cashier to check the ID-card. The requirement is only to check that the signature on the receipt match the signature on the payment card.

In Sweden, ID-cards are typically only required for amounts above ~€20, but not for foreign cards. However, it's very rare to see a cashier match the signature on the receipt with the signature on the payment card. The customer will usually get the payment card back before signing the receipt.

In Norway you are only required to check the ID card for offline purchases (which rarely happens) and then the ID is usually printed on the back of the payment card.

Most payments in Scandinavia are made online with PIN verification though.

It would be interesting to see some statistics about the various national rules/practices regarding ID check and signature matching.

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 19 March, 2009, 22:59Be the first to give this comment the thumbs up 0 likes

Thanks for all that detail Marite, but it's a strawman.

You asked rhetorically at the start whether EMV can fix a particular fraud problem.  You said no. 

One of the weaknesses in your argument was that you conceive of "EMV" cards as still having magnetic stripes.  So to be fair, EMV (chip) really would fix the problem.

Then you changed tack, and argued that EMV is hard to get going in the US.  Fair enough, yet the answer to the question Would EMV fix the fraud problem? is still yes.  

We need to separate the technical issues and the business issues in these debates.  Most online identity fraud modalities are based on the same underlying vulnerability: personal data (the lifeblood of e-business) is replayable, and receivers find it difficult to tell the data's pedigree.  To fix this problem properly we need new ID technologies.  If the business case for switching to new technologies cannot yet be made, then so be it.  In the interim, you can try to squeeze more life out of magnetic stripe cards, or try other stop-gap fixes.  But if you're trying to position some alternative to chip, then you need to be clear about how it compares on business criteria and how it compares on technology criteria, and not get them all mixed up in a messy and exagerated anti-EMV rant.

 

A Finextra member
A Finextra member 20 March, 2009, 09:29Be the first to give this comment the thumbs up 0 likes

I think I was far from ranting as I brought out the numbers that decision-makers look at in the course of making business decisions. 

One size does not fit all. Again, your passion for EMV is understandable but there are other solutions that can work better than EMV in other situations. Saying this does not mean that I am anti-EMV, which you seem to think that I am. I see a lot of use for the chip and pin. We do work with EMV! We have it incorporated into our of our products! It would be foolish of me, or for anyone for that matter to be anti any solution / system that benefits the market.

My as you say 'messy' explanation of why the U.S. is clinging on to mag-stripe should help answer the frequent questions of why americans are still doing signature.

In 2006, reports state $1 billion of U.S. card fraud for a volume of $1,530 billion. Even I did a 'double-take' on these numbers. Compare this to 2007 APACS numbers : £0.535 billion of card fraud for a volume of £224 billion and even I suspected that $1 billion of card fraud in the U.S. is a gross understatement. Then I realized that card usage and payment behaviour might also have a lot to do with maintaining a low level of fraud (less pin, less fraud).

The current reality of it is that it would be better to think of other (as you say) 'stop-gap' fixes while the chip and pin industry can think of a way to make the business case for EMV attractive to U.S. businesses. As it stands, a change in payment security can offset and upset existing revenue streams. For example, the European implementation of chip and pin resulted to a decrease in card issuing revenues specially for issuing banks that did not charge card annual fees.

It is always my intent to expose possible explanations to questions and issues related to card, payment and online security or at the very least start a healthy discussion which I hope is also informational. I do apologize for what you call my 'mess' and 'rant' but I thank anyone that contributes to this discussion.  :-) cheers, Marite

A Finextra member
A Finextra member 20 March, 2009, 10:20Be the first to give this comment the thumbs up 0 likes

"As far as I know, Visa/MasterCard does not require the cashier to check the ID-card. The requirement is only to check that the signature on the receipt match the signature on the payment card."

There might be some transactions where the cashier forgets to check but VISA/Mastercard always required that the signature be checked. However with recent changes in the U.S., pin/signature is waived for small transaction amounts.

A Finextra member
A Finextra member 20 March, 2009, 10:41Be the first to give this comment the thumbs up 0 likes

1. EMV terminals in restaurants in the UK are able to do that tipping thing - provided the functionality is turned on.  All terminals aimed at the restaurant (and similar) trade are certified for this by the acquirers.

2. I will ask the question again - does anyone know how this fraud was facilitated?  I don't mean tell me how to do it, I mean explain the principles, as I can't see how all of this could have been put together - it makes no sense!!!  And if it is a news item without substance, then we are all looking at issues that don't actually exist.

3. And I still don't get where the PINs came from.

 

 

Paul Penrose
Paul Penrose - Finextra - London 20 March, 2009, 11:05Be the first to give this comment the thumbs up 0 likes

We've been asking the same questions of RBS, but the bank has adopted an ultra-firm no comment policy. The fact that they don't deny the substance of the story outright, or try to massage perceptions, indicates a very serious breach.

A Finextra member
A Finextra member 20 March, 2009, 11:09Be the first to give this comment the thumbs up 0 likes

Hi David,

The PIN-Blocks, offset were compromised. It's called Pin-block hacking. This is nothing new. It has happened before. This can be done by hacking the server or network tapping. 

The lifting of the daily limits can be done by changing the service codes and track 3 prior to encoding it AND if there isn't a check done on the issuing level's authorization (or the  stand-in). 

A Finextra member
A Finextra member 25 March, 2009, 09:27Be the first to give this comment the thumbs up 0 likes

Hey ...

So PIN block hacking takes place as the authorisation request is on its way through the acquirers' systems, en route to multiple issuers; because clearly the acquirer won't be storing the PIN blocks, and the hackers will be hard pushed to infiltrate multiple issuer hosts.  Or is the PIN block hacking you are referring to that which applies to issuer databases - which is what I suspect?  But if they are hacking multiple issuer databases, they will need multiple issuer keys - it's one thing to have a single vulnerability at a single acquirer, but something completely different to have the same vulnerability across multiple financial institutions.  That would be corporate stupidity on a massive scale!  No matter, the weakness in all of these cases is the apparent availability of the keys / algorithms necessary to retrieve the PINs from the PIN blocks.

I thought the use of track 3 was consigned to the scrap-heap in the 1970s and 1980s.  I began working with ATMs in 1986, and the use of track 3 was long gone then - unless it was one of those banking secrets and I wasn't one of those who needed no knpow.  However, if there are numptie (intellectually challenged) banks that are still supporting this as a means of limiting cash withdrawals, especially in a global ATM environment that demands online authorisations, originating in a nation that requires all transactions to be authorised online, then I guess they deserve all they get.

So this fraud looks like it was the result of transaction sniffing on unencrypted acquirer communication lines [non card related security issue], with easy access to the acquirer working keys (which should be different for each ATM) [non card related security issue], and the ability to override the requirement for online authorisation [non card related security issue], not to mention the use of track 3 as a withdrawal restriction mechanism [I'm not sure if this is a card-related issue or not].

I have no reason to doubt Marite's knowledge of the US payments landscape, and assuming it is all true, it seems to me that the banks got exactly what they deserved - and long may it continue.  This is the banking mentality that is resisting the adoption of EMV, on the grounds that it is expensive, it doesn't do the job, and anyhow, there aren't any problems with transactions in the US.  

All that remains to be said I think, is: International Liability Shift - bring it on!

A Finextra member
A Finextra member 25 March, 2009, 10:46Be the first to give this comment the thumbs up 0 likes

You're right. Track 3 is suppposed to be a dead track. But in case it's still encoded, that's where the amount per cycle and international capability are tagged. The service code in track 2 helps determine the ATM and international capability as well. What happened sounds like the fraudsters did a bit of research and experimentation prior to the 30 minute caper to find out 'which' did not properly check amount per cycle; amount remaining in this cycle,... 

A Finextra member
A Finextra member 26 March, 2009, 09:24Be the first to give this comment the thumbs up 0 likes

So ...

does anyone know of any ATM anywhere in the world that dispenses cash based on offline authorisations against track 3?

 

Blog group founder

Retired Member

Member since

19 Mar 2009

Location

Blog posts

6,023

Comments

6,224

This post is from a series of posts in the group:

Transaction Fraud Systems and Analysis

A community for discussion of Transaction Fraud systems and anlaytical techniques for bank card and financial services organisations.


See all