Sunday, January 31, 2016

A Response to Cambridge's Video on Chip and PIN Fraud

Frequently, I see people referring to this video from Cambridge University explaining several Chip and PIN fraud possibilities as evidence that Chip and PIN is broken. I would like to take this opportunity to post my thoughts on this video and explain how, in the context of the current rollout of EMV in the United States, this isn't necessarily a huge deal.

The first thing to keep in mind is that, as I wrote previously, the United States is mostly transitioning to Chip and Signature, rather than Chip and PIN. Since my last post, a couple more banks and credit unions have come out with Chip and PIN credit cards, but the majority of EMV credit cards in the United States remain Chip and Signature, and one of the issuers that was Chip and PIN when I wrote that post has changed to Chip and Signature. Whether issuers transition to Chip and PIN in the US at some point in the future remains to be seen.

The attacks described in the video fall into three basic types, and I'll go over them one by one:

The first attack describes tampering with the card reader such that the flow of information in the link between the card reader and the card itself is intercepted, allowing someone to read off the card details and PIN. This certainly is a possible attack, but has been mitigated in a couple of ways. The first is to encrypt the PIN before sending it to the card. This means that the attacker wouldn't be able to read the PIN. The second is to have the PIN verified, not by the card itself, but by the bank that issued the card. This sort of over-the-network PIN verification is always encrypted, so the attacker would not have access to it. This is also how magnetic stripe debit card PINs in the US have been verified for many years. There are still cards and terminals out there that support unencrypted PIN verification by the card, so the attack possibility remains, but keep in mind that this still is only a disclosure of the PIN, and not the private keys on the card that would be needed to manufacture a clone of a chip card.

In the United States, this attack is mostly irrelevant. With nearly all US-issued cards being signature-preferring, if they support PIN at all, the PIN would rarely be needed by the customer and thus there is no PIN to capture. In the case of debit cards, which require a PIN when run as "debit" and may use a PIN when run as "credit", the PIN is always encrypted and sent over the network to be verified by the bank. It doesn't make sense to me for an attacker in the US to focus on PIN collection in this manner, since most transactions would not use a PIN in the first place so there would be nothing to capture.

The second attack uses a device between the card and the terminal that makes the terminal think the PIN was accepted by the card while the card thinks its doing a Chip and Signature transaction.  This allows an attacker to use a stolen card without knowing the actual PIN, since the card thinks it's performing a signature transaction, while the intermediary chip returns a "correct PIN" response to the terminal in all cases. The problem is that there is nothing that verifies that the card and the terminal have the same view of the transaction. Fortunately, an improved method of authenticating that the card itself is legitimate, called "Combined Data Authentication" or "CDA", includes a way for the terminal or payment processing network to detect this inconsistency. As noted by SecurityWeek, CDA prevents this sort of attack.

Like the first attack, attack also doesn't seem to make much sense in the United States. With the majority of cards being issued as Chip and Signature instead of Chip and PIN, the attacker doesn't need to perform this attack to use a stolen card without knowing the PIN. Instead the attacker simply forges a signature on the receipt or PIN pad.

The third attack uses a terminal that displays a small transaction amount to the user while processing a large transaction amount. I don't really consider this a Chip and PIN attack at all, since I don't see why this attack couldn't be done with a magnetic stripe or Chip and Signature card. The solution here is to get a receipt, since the receipt would either show the large transaction amount and be immediately noticed by the cardholder, or the receipt would show the small transaction amount and thus would differ from the processed transaction amount, providing evidence that would allow the cardholder to more successfully dispute the transaction with their bank.

Ultimately, there's not a lot a cardholder can do to reduce the risk from these attacks. The first two aren't immediately relevant in the US since few US issuers are issuing Chip and PIN cards anyway. We can only hope that if they do start to, they take advantage of the latest enhancements to EMV technology, avoiding unencrypted PINs and using CDA. As for the third, that's really about good cardholder practices and doesn't have anything to do with Chip and PIN specifically.

Tuesday, January 05, 2016

Why Larry Ellison Doesn't Need Island Air Anymore

Let's travel back in time. All the way back to January 2013. Larry Elison, CEO of Oracle, had recently spent a bunch of money buying the island of Lanai and wanted to make sure visitors would still be able to get to the two Four Seasons hotels on the island. Island Air was in bad shape, with not a lot of money and Dash 8-100s that were running out of cycles and working on replacing them with worn out ex-American Eagle ATR 72s. While technically possible, jet service to the island had never been a fiscally sound thing to do (I remember Aloha advertising it at one point and Hawaiian ran a triangle route with load restricted DC-9s between Honolulu, Molokai, and Lanai) so Hawaiian 717s were unlikely to show up anytime soon. Mokulele's tiny 9-seat Cessna Caravans were likely the type of experience he wanted for the guests of his high end resorts.

So buying Island Air made some sense. The ATRs, while not a large jet, would at least provide the familiar experience of flying a regional airliner on the short interisland hop. Trying to position itself as the #2 airline probably didn't seem like a bad idea either after the failure of the much-loved Aloha and much-despised Go, a position in which Island Air pretty much was in whether they wanted it or not. A lower cost/lower fare turboprop alternative to the mainline jets had been tried before, but there was the potential to be more successful with just one big competitor (Hawaiian) rather than two (Aloha and Hawaiian). But Island Air was never seemingly able to shake the poor reputation they developed when they didn't have enough Dash 8s left to fly the schedule and once the ATRs arrived couldn't keep them flying either, resulting in delays and cancelled flights.

So Hawaiian smelled an opportunity. Go was gone, Island Air had a poor reputation, and Mokulele was too small to be relevant. They bought some ATR 42s from Europe, contracted Empire to fly them, and reentered the Molokai and Lanai markets they hadn't been able to viably serve since retiring the Dash 7. Almost immediately, freed from the obligation of providing the only regional airliner sized service to the island, Island Air dropped service to Molokai to focus on Ellison's Lanai. But with Island Air continuing to lose money and Hawaiian's ATRs not seemingly going anywhere and able to bring guests to the resorts, it makes sense for him to stop pouring money into the airline and let someone else figure out what to do with it.