EMV decisions on mag stripe in Canada in 2005 come back to haunt customers
Finally Target confirm the obvious, that the recent hack of 40 million debit and credit cards also obtained the PIN numbers. Target have also told CNN that they do not store the encryption key. This is suspect at best. It may not be stored but it exists somewhere otherwise they could not have encrypted the PIN’s. I would go further and question why Target store the PIN at all. The EMV protocols require the PIN for interaction between the Card, POS and the Bank. The PIN is of no value to Target.
(Reuters) – Target Corp (TGT.N) on Friday confirmed that “strongly encrypted PIN data” was stolen as part of the massive data breach at the third-largest U.S. retailer during the first three weeks of the holiday season.
Back to the mag stripe storyline.
Background from Krebs:
If there was ever a driving case to eliminate mag stripes this is it. My wife used her credit card in NY State recently and innocently noted to me they never asked for her pin. Yes dear, that’s because your super secure chip card is using the porous mag stripe in the US.
If you really want to get paranoid about this, then read Krebs on Security here. He has identified the Ukrainian man responsible. I have viewed some of the sites mentioned and it is at once alarming and also disarming how easy it was to identify this man. This would be a much better use of the NSA abilities.
Stolen cards are divided into a ‘base’ that reflects the stolen source and any other special characteristics. In this case individual bases included zip and postal codes (yes Canadian cards are involved, including Bank of Nova Scotia in one sample posted online). Two bases being mentioned in one site, that has since disappeared since Krebs post are called Tortuga and Barbarossa. The advantage of zip/postal codes is to design the attacks within the cardholders home region, thus increasing the time before Issuers fraud alerts kick in. Its obviously more of a fraud alert if your card that is used daily in Niagara Falls Canada, shows up in a transaction in Hong Kong or Singapore and to purchase electronic goods.
The cards are purchased as follows (from Krebs)
A quick search on the card shop for the bank’s BINs revealed nearly 100 of its customers’s cards for sale, a mix of MasterCard dumps ranging in price from $26.60 to $44.80 apiece. As one can imagine, this store doesn’t let customers pay for purchases with credit cards; rather, customers can “add money” to their accounts using a variety of irreversible payment mechanisms, including virtual currencies like Bitcoin, Litecoin, WebMoney and PerfectMoney, as well as the more traditional wire transfers via Western Union and MoneyGram.
To be clear, what is for sale is the card number, expiry date, name, address, and CVC.
Relevance to Bankwatch:
if ever there was a case to get serious about not just EMV but mag stripe then this is it.
The sophistication level is such that simple encryption of stored data is not enough. The transmission of the data has to be considered. If the data (card number, pin, etc) are ever in the clear (i.e. unencrypted) during the process then they probably exist unencrypted somewhere such as in RAM and these guys have tools to search that RAM.
I have long been a proponent of the two card approach. Give me a chip card for my day to day use. In 2005 during the initial requirements sessions for Chip Cards I disagreed with the retention of the mag stripe. The well intentioned purpose was to make it a smoother transition for clients who a) travelled abroad, and b) who used merchants that hadn’t converted. I always believed those two points were over-stated and unfortunately this has been borne out in Canada. Merchants swarmed to the new technology, egged on by a fairly non diverse and aggregated group of POS providers. And foreign travel – give me a different card.
That initial decision to maintain the mag stripe was driven by Visa and MasterCard, but we could have made in Bank decisions to not follow that decision, and still remain within the terms of the agreements in my view.
So my wifes shopping trips in the US are unnecessarily at risk due to a poorly conceived decision by technologists in 2005. And that unnecessary inconvenience includes all the banks and card issues fraud departments who spend all day cancelling and re-issuing cards. This is a dirty secret of banks and the scale of that re-issuance is overwhelming.