By Ray Birch
MOUNTAIN VIEW, Calif. — Researchers at MWR Labs recently demonstrated that EMV POS terminals can be compromised, claiming a chink in chip card armor.
While payments analysts are split over whether the MWR finding actually uncovers a real threat to smart card processing, they agree that what MWR demonstrated at the Black Hat cybersecurity conference in Las Vegas indicates that given time and focus, cybercriminals will find a way to compromise any fraud-fighting tool.
“In my opinion, what MWR has found is a valid vulnerability,” said Chris Silveira, manager of fraud intelligence for Guardian Analytics. “Yes, there is some cumbersomeness to the process the researchers used at the show to demonstrate how to steal chip card data, and they did focus mostly on mobile card readers. But they have proven that you can compromise the EMV process.”
According to a CNN Money report, the London-based MWR was able to get EMV terminals to work counter to their programming, which is to encrypt PINs as they are typed in and not store card data. MWR inserted a smart card with malware into a POS machine that injected a command to stop encrypting PINs and store all subsequent credit card swipes in computer memory.
Then, according to the scenario MWR demonstrated, as the POS machine gathers data during the day, a hacker returns later with another card that extracts the payment data out of the terminal.
“What we are seeing with this demonstration is that the chip cards could be fantastic, but there could be problems with the readers,” Bill Hardekopf, CEO of LowCards.com in Birmingham, Ala., told CUToday.info.
Good To ID Weakness Now
Robert Hackney, president of CSCU in Tampa, Fla., said that while he does not see the potential fraudster angle uncovered by MWR exposure as significant, it is good news that the weakness in the EMV process has been identified now.
“This does represent a chink in EMV’s armor, but we have found it out before the October 2015 liability shift,” said Hackney. “This gives manufacturers of terminals that have this weakness time to work out any issues. I think the terminal providers, at least from a liability standpoint, would want to get this worked out.”
MWR found the weakness in Miura Shuttle handheld point-of-sale terminals, a popular hardware supplier that is sold by vendors under many other brand names. CNNMoney reported that terminal vendors were working to fix the issue, but that it’s up to merchants to update their systems, which does not happen often.
But some analysts say there is little to fear from the Black Hat demonstration, saying what MWR pulled off is too cumbersome and difficult for most hackers to want to attempt.
Art Harper, director of card payment solutions at PSCU, St. Petersburg, Fla., thinks the MWR demonstration was simply a show.
“At this meeting, apparently, they try to hack into something new every year,” said Harper. “Last year it was ATMs, this year EMV, and next year it will be something else. This does not mean that crooks can, or will want to, do this widely. I don’t see this as a concern.”
Harper pointed out that the MWR demonstration also involved a circuit board and a laptop, along with the chip card that contained malware. “That is a bunch of equipment to pull off the theft, and I can’t imagine a store clerk would not be standing by somewhere and notice this.”
For many of those same reasons, Brandon Kuehl, senior product manager at The Members Group, Des Moines, Iowa, does not see the fraud tactic uncovered by MWR as a real threat. “I don’t see this as anything to be concerned about.”
But Hackney and Silveira do not rule out that hackers could refine this fraud process to make it simpler to execute, therefore making it more attractive to criminals.
“That is definitely possible,” said Silveira.
He pointed out that Cambridge University researchers in 2010 uncovered a few vulnerabilities with EMV, one similar to the threat exposed by MWR.
“They showed it was possible to perform a man-in-the-middle attack at the POS terminal to steal the card data,” he said. “Back then everyone said this fraud tactic was complicated and crooks would have to get the malware installed on all these different POS terminals to get a lot of data. Well, what have we seen in the last year? That’s exactly what happened with the Target, Home Depot and Goodwill compromises.”
Don't Slow EMV Rollout
But all analysts agreed the potential threat is no reason to slow movement to EMV. “This should not impact the rollout of EMV,” said Silveira.
CNNMoney reported that MWR, which works closely with the financial industry and governments, has yet to observe this tactic used by criminals.
Tom Davis, SVP of finance and technology at CSCU, reminded it is still easier for criminals to focus on mag stripe.
“Which is why we may not have seen this hack yet from fraudsters. But it has been proven that EMV has reduced fraud in countries where it has been rolled out. It has made it harder for criminals to get as much money. We believe EMV is the best insurance policy for our credit unions and financial institutions, and tokenization will help further. EMV makes the fraudster look somewhere else to get the money more easily—and if you don’t convert to EMV when most others do you are opening the door to more risk.”
Kuehl added, that EMV “is not perfect, but it really does make it hard to counterfeit a card, which is a big chunk of fraud.”
Bill Lehman, SVP of sales and consulting at CSCU, focused on EMV and tokenization, which experts see as putting a real dent in card fraud.
“I don’t think anyone sees EMV as the single savior,” offered Lehman. “When we look at countries that have converted to EMV we see the fraud shift to card-not-present, which is what tokenization addresses well.”
Hackney summed up the task ahead: “We just have to keep building the wall of security around the card.”