Thursday, February 28, 2008

Ross Anderson's attacks on Chip and PIN

One of the risks of security research is that some people will read the paper by Ross Anderson and others on PIN Entry Device (PED) vulnerabilities and conclude that Chip and PIN is utterly broken and a complete waste of time.

The attack is certainly serious in that it allows a criminal to profit. But it does not return us to square one. The attack exploits the fact that the standard Chip and PIN protocol does not require the PIN to be encrypted between the PED and the card and the fact that the cards are designed to work with legacy payment devices and ATMs that only use the PIN and magnetic stripe.

This is certainly a vulnerability, but not a fatal one. The best way to close the loophole would be to deploy Chip and PIN in every country and withdraw use of the magnetic stripe. This would require considerable political commitment, particularly in the US where the anti-trust laws and the structure of the banking industry make deployment unlikely to occur without pressure from a strong administration.

Encrypting the communication between the PED and the card is another countermeasure, highly desirable in its own right. Unfortunately as the paper explains, it would be necessary to sign the statement of card capabilities that advertises support for encrypting this communication or the system would remain vulnerable to a downgrade attack.

I am far from convinced that PIN capture represents a significant vulnerability even when dealing with legacy systems, here in the states it is not necessary to use a PIN for a credit card transaction. The only transaction type for which the PIN is required is a cash advance or ATM cash withdrawal. If the banks find that fraud due to this particular attack rises to the point where it is comparable to the cost of deploying encryption capable cards they should certainly do so.

It is quite likely that the EMV specification designers anticipated this particular set of circumstances, did a security evaluation and decided that it was an allowable first generation risk. The problem is that if there is a statement to that effect it has been lost in the thousands of pages of documentation on EMV. As the authors point out, there should be a single compact security guide that brings such considerations together in one place.

The lack of adequate documentation is not just a cost for administrators and implementors, it is frequently an indicator of the quality of the result. It is likely that the usability of UNIX would have been rather better if the original development team had included one member tasked to writing documentation for eventual end users.

The authors are also justified in their skepticism as to the effectiveness of a certification process where the vendors choose the certification lab. The incentive for the laboratory is to allow the vendor to acquire certification at the lowest cost.

GCHQ have recognized this problem and requires the results of testing to be made public in order for common criteria certification to be granted. This is an important distinction because it means that the testing laboratory can be held accountable should researches subsequently discover a vulnerability that they should have detected. The devices in question are merely 'evaluated', not 'certified', a distinction that does not appear to have been widely appreciated outside GCHQ.

No comments: