David Preiss
Christian Armistead
Disclaimer — This paper partially fulfills a writing requirement for first year (freshman) engineering students at the University of Pittsburgh Swanson School of Engineering. This paper is a student, not a professional, paper. This paper is based on publicly available information and may not be provide complete analyses of all relevant data. If this paper is used for any purpose other than these authors’ partial fulfillment of a writing requirement for first year (freshman) engineering students at the University of Pittsburgh Swanson School of Engineering, the user does so at his or her own risk.
1
David Preiss
Christian Armistead
SMART CARDS: A STEP FORWARD IN DATA SECURITY
David Preiss, ,Mahboobin 10:00,Christian Armistead, ,Lora 3:00
1
David Preiss
Christian Armistead
Abstract---Americans have enjoyed the ease of swiping cards to pay for their purchases for a long time. However, such an ingrained action may become outdated with the widespread adoption of smart card technology, specifically EMV smart cards. In 2014, the transition to this technology was initiated to reduce fraud. The smart card does an effective job of covering the weaknesses of the obsolete magnetic stripe. Whereas the magnetic stripe simply holds information, the smart card has a microchip that enables it to communicate with the reader, rather than just be read, allowing it to confirm a transaction is secure.Currently, the biggest weakness of smart cards is their backwards compatibility; they still have magnetic stripes to be used on older readers, which can still be exploited. Once this technology has fully been applied and the magnetic stripe removed, fraud is expected to decrease significantly. However, this transition comes with a great cost, a liability shift from banks to retailers in the event of fraud, and possibly increased time to complete a transaction. With the transition process from magnetic stripes to EMV chips almost complete, now is a good time to reflect on the process so far, and make predictions of the long-term benefits of EMV chips.
Key Words – EMV, PINs, Magnetic stripes, Chips, CAP, Encryption
THE DOWNFALL OF MAGNETIC STRIPES
Traditional Magnetic Stripe
Magnetic stripes were originally used on paper tickets by the London Transit authority in the 1950s [11]. They were then repurposed for identification purposes by the CIA. Magnetic stripe equipped bank cards were first introduced in 1970 by American Express to decrease the time required to complete a transaction. It previously took days via a Zip-Zap machine, a machine which imprinted the numbers on a card onto carbon copy sheets to create multiple receipts, which were then delivered to a bank [11]. Being as this was a long multistep process, there were multiple opportunities for fraud to take place. As the price to make these magnetic stripe cards decreased to reasonable rates of roughly five cents a card in the 1980s, Visa and MasterCard switched to magnetic stripe based cards [11]. With these new magnetic stripes, transactions took seconds rather than days, and account balances could be checked and cards rejected [11].
How magnetic stripes work
FIGURE 1 [4]
Example of F2F Encoding on a Magnetic Stripe
The magnetic stripe on a typical bank card contains the owner's name, account number, card number, expiration date and CVC (card verification code). Information in the magnetic stripe in a card is stored by altering the polarity of particles in the stripe to define a bit [9]. There are multiple encoding schemes that can be employed. In F2F encoding, a bit is a set length of particles, and the binary values are determined by the presence or absence of a polarized particle in the center. There will be roughly 200 bits per square inch of the magnetic stripe [9]. How the bits are used to store data depends greatly on the type of data stored and the method used to read it. This is because an integer value, as large as 2.1 billion can be stored in 4 bytes, or 32 bits, while a single character value component of a string variable is a whole 2 bytes of memory, or 16 bits. Because of the limited storage space, encryption of data on a magnetic stripe is not commonly applied. A typical card has three tracks, or rows, of data. Track one holds all data related to the account, stored in 7 bit characters. Track 2 contains the same data, but in 5 bit characters. Track three was intended to store account balance and be rewritten after every transaction, but it is seldom used. [10] Since this stripe contains all the information needed to make a purchase, a criminal simply needs to make a copy of your card to make fraudulent purchases, and with how elementary the magnetic stripe is, criminals can and do copy cards.
Weaknesses of the Magnetic Stripe
FIGURE2 [10]
The Disguised Shell of a Card Skimmer
FIGURE3 [10]
The Internals of a Card Skimmer Within its Shell
Although the magnetic stripe was such a massive improvement over its predecessor, the magnetic stripe system is in need of replacement because of its age and simplicity. Simplicity itself is not inherently a problem, but because the technology is all old and primitive, criminals can cheaply commit fraud for large gain. One such practice criminals utilize is card skimming. Card skimming is the practice of hacking or rigging card reading infrastructure to collect account information. A cheap prebuilt card reader can be purchased online and can be simply modified to be a skimmer. All that must be done to have a functional card skimmer is removing the internal componentsfrom the prebuilt scanner, adding a small power source, and a small flash storage unit. With the widespread use of 3D printing technology, all that some scheming criminal needs to do is print out an inconspicuous cover for their device, and attach it to an ATM, gas pump, self-checkout station, or anything else that people would use a bank card for. Some more elaborate devices may even have fake keypad that records keystrokes to capture PINs, or contain tiny cameras that record PINs. In addition to simply modifying prebuilt readers, a makeshift card reader such as the one shown in figures 2 and 3, can be created out of a pair of audio read heads that read the differences in magnetic fields on the stripe and convert it into audio files to be decoded into account information later. One does not even have to have this small amount of technical knowledge to steal account information; anyone can buy pre-built devices that only need installed on the black market. Or, they could simply buy stolen account information from another criminal.
Anotherstratagem to compromise consumer accountsis working at high end restaurants and swiping client’s cards before returning them. In 2011 a gang of 28 was indicted for a similar ploy. Seven waiters at a classy steakhouse in New York City extracted data from “black cards,” credit cards with high or no limit, by swiping them with miniature portable card readers that were kept in their pockets. Members of the ring then manufactured copies of the cards and fake IDs to use them. When this gang was finally busted, authorities seized more than 1.2 million dollars in cash, and over 1 million worth of goods from them [12].
Once the account information has been stolen, the perpetrator has a variety of options to get money. If they collected the data themselves, they could sell it as mentioned previously, or they could make clones of the card like in the steakhouse scheme. Because of how simple a magnetic stripe is to manufacture, this is quite easily accomplished. Once they have these cloned cards, they are tested on small purchases that are unlikely to trigger any alert. Once they are confirmed to work, they are used to make expensive fraudulent purchases; these luxury items are then resold. In addition, once they have the account holder's information, they may attempt to take out new credit cards in the victim’s name [13]. Even a fraudster without the knowledge to make a counterfeit card can still engage in CNP (card not present) fraud by making online purchases with stolen purchases.
Credit and debit card fraud has almost entirely replaced bank robbery. According to Doug Johnson, the vice president of risk management policy for the American Bankers Association, the average haul for a bank robbery is between $3,000 and $4,000 [10]. Another estimate from the FBI in 2010 is an average of $7500 [13]. The money is recovered from 22% of successful bank robberies in the United States. Bank robberies were down significantly between 2004 and 2010, from over 7500 to 5500 [13]. While ordinary bank robbery has been declining, banks are being robbed even more through skimming practices; in 2011, the average skimmer brought home $50,000. Since banks do not guard every single ATM, the odds of getting caught are far smaller, the payout is larger, the amount of planning is lower, and the prison sentences are lower, if the fraud does not cross state lines.
The Final Straw
While the costs of random fraud were cheap enough for banks to put off upgrading infrastructure, large scale data breaches such as those inflicted upon Target, Home Depot, and Sony, may have been enough to cause banks to switch. In the Target hack alone, estimates of how many customers may have had their information stolen were as high as 70 million [1]. Target provided affected customers with one year of free credit monitoring and theft protection to attempt to make up for the actions of the hackers. According to a Target financial statement, the data security gap cost 252 million, but insurance coverage paid out 90 million, and tax deductions reduced the total loss to 162 million [14]. This is 0.1% of Target’s 2014 sales [14]. Since the main burden of the losses fell upon customers and banks, rather than Target, companies are not as greatly incentivized to have strong security. However, following these cyberattacks, the attention of Congress was drawn towards data security. Legislation proposed would require organizations to inform their customers of data breaches and penalize them for breaches, which would cause them to prioritize data security [4].
THE RISE OF SMART CARDS
History of smart cards
While EMV smart cards may seem new, the technology has been around and in use for decades. The invention of the smart card is difficult to attribute to a specific time or person, with claims all pointing to multiple similar patents all being filed at in [WU1]the late 1960s and early 70s. However, most sources agree that a lot of the credit lies with [WU2]Roland Moreno, a French engineer who came up with the idea in his sleep[WU3]. He filed for the patent on March 23 1974, marking the most important invention of his career [WU4][17]. While there were companies such as Motorola developing smart cards within a few years, it wasn’t until the 1980’s that they started seeing use. In 1986, the first standard for financial smart cards was the Carte Bancaire M4 from Bull-CP8 deployed in France. Jumping forward to 1994 is the publication of a new standard fo[WU5]r smart cards called EMV for the three companies that authored it, Europay, MasterCard, and Visa. The code was written to be backwards compatible with preexisting systems such as the French Carte Bancaire and the German Geldkarte [17].
Over the next decade interest and use of EMV smart cards exploded across Europe, with these cards[WU6] quickly becoming the standard for digital transactions. Other continents adopted the technology more slowly, with many Asian, African, and South American countries making the switch in the early 2000’s. The US has used the technology for small scale closed financial and security systems but is only now seeing widespread use as a banking standard. Today, the EMV standard is managed by EMVCo LLC, which is equally owned by American Express, JCB, MasterCard, and Visa [17].
How smart cards work
When swiping a magnetic stripe card, the action was n[WU7]early instantaneous, because there is virtually no security. The magnetic stripe is quickly and completely read like a bar code. However, when using an IC chipped EMV smart card, you might notice that the card must stay inserted for a couple of seconds before it can be removed. This is because unlike the magnetic stripe, there is a direct and complete transfer of information, like a person reading a book, there [WU8]is a back and forth interaction between the card and the reader. This is conceptually more akin to a conversation between two people who do not fully trust each other. Let’s take this [WU9]systemat[WU10]ically.
First the chipped card is inserted into the terminal. It then performs a risk assessment based on how the issuer has programed the chip. [WU11]The terminal responds with its own risk assessment. The two risk assessments are compared[WU12]. Then there is the determination to go online[WU13]. When it goes online, the data is put into what is referred to as field 55, in that one new field in the messaging all the EMV related data [WU14]is inserted and that data is passed all the way up through the authorization system [17]. Now in the authorization system, the issuer has new dynamic data that is generated for every transaction.[WU15] The issuer then sends the terminal instructions that will vary from card to card [17].
Unlike magnetic stripes, which all have the same basic format, to make processing easier, EMV chips do not all share the same information or storage method[WU16]. The bank and manufacturer suddenly have a large amount of influence on the contents of the chip. [WU17]Now, in order for the terminal to read the chip, it has to analyze the contents and format, since these chips can store a massive variety of types of information in drastically different ways. This leads to a longer process to build software and hardwar[WU18]e. Whenever an entity such as a payment network like MasterCard wants to create a smart card-based application, they need to register for an Application ID (AID). [WU19]This accomplishes a few goals. Firstly, it establishes an international recognition for the ownership of that application. In addition, it also registers the application logic on the card. The role of the AID is to recognize what application is on the card and what operation rules it can follow based on that AID. That way if a terminal identifies an AID on a card that matches one that is stored in its database, it initializes the procedure to process that card. Each corporate entity/application type has its own AID. Terminals for reading EMV chips come with a specific set already loaded onto them to ensure ability to read [WU20]common AIDs [17].
The AID is merely the gateway to the large amount of data stored on the chip. While these chips have far larger storage capacities than magnetic stripes, there isn’t any additional personal information stored on the chip; the extra space is just used for security purposes [17].[WU21]
The[WU22] formatting of information in the magnetic stripe of either a normal card or a smartcard is called CVC1 or CVV1 and is different from that of the chip which is called Chip CVC. This means that if an inserted chip transaction is skimmed and printed to a fake magnetic stripe, it won’t work at all, but rather will trigger an alert [17].[WU23]
Thus, the EMV standard provides what is called card stock security, in that it works to prevent the creation of functional counterfeit cards. Card stock refers the physical card itself along with the default architecture and programs it has before being issued to a user. Even if a profiteering hacker got a hold of an already manufactured chip card that they wanted to copy a different card’s information onto, they’d first have to get past the security within the card itself before they could alter any of the programs on it. They would need a security key; These are keys that must be submitted to the memory of the chip before it can even be programed. Even if an unissued card is stolen, it’s still completely useless without corresponding data keys. [17[WU24]]
Online[WU25] card authentication method (CAD) is a cryptographic shared key between card and issuer. The terminal generates a random number which both the issuer and the card use their keys to conve[WU26]rt into another number, the cards answer is sent to the issuer to compare to the issuer’s answer. If they match, the issuer can trust that the card is legitimate. Then the process is repeated with the issuer sending its answer to the card so that the card can trust that the issuer is legitimate. The issuer may also send additional commands back to the card along with [WU27]this code, since they both confirmed to be authentic to each other at that point. As a result of this mechanism, anytime an EMV smart card is successfully used in a transaction, it will download any and all post issuance card updates from the issuer. This will help to rapidly respond if any bugs, exploits, or other flaws in the software of the card are detected.[WU28]