There’s no doubt that EMV is a great standard that has succeeded in providing a greater level of security for Cardholders, Merchants and Issuers alike. However, like anything that evolves there is always an element of junk DNA in the design. EMV has its fair share of junk DNA, the recent bad press (also read here) about Static Data Authentication (SDA) being broken is one such example. It didn’t take a rocket scientist to figure out that it was weak and susceptible to replay attacks but back then anything was better than a magnetic stripe. It came from a time of the early days of EMV, when more powerful cards that could support Dynamic Data Authentication (DDA) were significantly more expensive. This expense, coupled with the fact that most EMV capable terminals weren’t fast enough to perform DDA in an acceptable amount of time, meant that DDA wasn’t adopted as widely as it should have been.
Perhaps the most glaringly obvious security flaw in EMV is the CVM called “Offline Plaintext PIN”. The PIN is transmitted to the card for verification in the clear which places the burden of security (and cost) on the terminal Vendor and therefore the Merchant.
A large part of PCI PED for example deals with the PIN entry security environment. An attacker merely has to “sniff” the card IO pin to pull all manner of cardholder information from the transaction including the PIN. Some would argue that the compensating control for this is the fact that PIN pads are tamper responsive and evident but why take the risk when you have a much better CVM in “Offline Enciphered PIN”? The PIN is securely encrypted in the PIN pad using the card RSA Public Key and transmitted to the card for verification which is infinitely more secure.
Of course the next step would be to encrypt all the information that passes between the terminal and card using a similar mechanism but that’s a discussion for another day.
In summary, it’s clear that the weaknesses of SDA have been exploited and damaged the reputation of the EMV standard so surely it’s time we acknowledge the obvious – both SDA and Offline Plaintext PIN have had their day, it’s time they were put out to pasture.Tags: CVM, EMV, Offline PIN, SDA, Static Data Authentication