2.6 Threats and security protections

2.6.1 Channel protection versus eavesdropping

In the case of payment cards, the threat of eavesdropping or monitoring (see Appendix B) consists of obtaining the financial data, which is either embossed on the card or stored on the magnetic stripe of the card, and/or the confidential cardholder identification information like the PIN.

The financial data can be tapped while it is exchanged between the card and the operator/terminal at the point of service in a face-to-face transaction or when it is sent over communication channels during a remote payment transaction. The attacker can later use this data in a variety of attacks for obtaining material advantages. Below, some of the most frequent eavesdropping scenarios targeting financial data are outlined.

• The simplest eavesdropping attack is the waiter attack . The consumer has a magnetic stripe credit card and uses it at a restaurant. While taking the card of the consumer for reading it in the payment terminal, the waiter writes down the financial data embossed on the front side of the card: card's brand and issuer, cardholder's name , PAN, and expiration date.

• A fake ATM or POS terminal under the control of the attacker is used to illegitimately read the financial data encoded on the magnetic stripe of the card. In January 2001, Scotland Yard issued a worldwide warning to hotels, restaurants, and the public to watch out for a tiny electronic device that can be handheld and can read the magnetic stripe of a card in few seconds [14]. The content of the magnetic stripe of up to 50 cards could be simultaneously stored in the permanent memory of the device. The size of a matchbox, these devices were found among the possessions of several waiters working in high-class London restaurants where customers routinely pay with platinum and gold credit cards. In a few hours the content of the device was transferred to the logistic department of a criminal organization that creates the counterfeit magnetic stripe cards (see Section 2.6.4).

• In the electronic commerce scenario the waiter attack is performed as follows . Hackers (a term referring to an attacker whose target is an Internet connection or a Web site) are sniffing the transfer between the browser of the consumer and the Web site of the merchant. "Sniffing" is another term for eavesdropping, which is preferred in the Internet literature. A filter runs and isolates cardholders' financial data.

Another target of eavesdropping is capturing the cardholder identification information, like the PIN (see Appendix D, Section D.5). Several possibilities can be envisaged:

• The attacker tries to spy over the shoulder, recording with a miniature camera the PIN pad of a terminal.

• The attacker captures the PIN while the cardholder is typing it in the PIN pad of a false ATM or other unattended terminal, which is under the control of the attacker.

The eavesdropping of the PIN is an essential step that facilitates the mounting of more complex attacks using stolen or lost cards (as outlined in Section 2.6.2) or counterfeit cards (as presented in Section 2.6.4).

Little can be done to protect against eavesdropping at a point of service. Discretely typing the PIN using the palm as a shield is the simplest protection method. When participating in an electronic commerce transaction over the Internet, the legitimate cardholder can protect his or her financial data against the sniffing of the connection by using either SSL [15] or the transport layer security (TLS) [16], which are integrated in the majority of browsers. Thus, a secure connection is established between the browser of the cardholder and the merchant's server, if this is also SSL/TLS-enabled and operational, which can safeguard the confidentiality of financial data.

In the examples of attacks presented above, the eavesdropping threat was mainly analyzed on the interface between the cardholder and the merchant, which is the most vulnerable. Nevertheless, in case of debit/ credit payment cards, the long circuit performed by the authorization request/response sent to the interchange system is also sensitive to eavesdropping. The authorization request/response conveys the financial data of the card together with the (encrypted) PIN of the cardholder, in case the cardholder's verification is performed on-line by the issuer (see Appendix D, Section D.5.2). In this case the wiretapping task of the attacker is more difficult, considering the inaccessibility of the proprietary payment networks, unless the attacker colludes with insiders, managing the nodes traversed by the authorization messages.

2.6.2 Cardholder verification versus impersonation

The cardholder impersonation threat consists of the false association between the consumer undertaking a payment transaction and the authorized owner to whom the payment card was issued.

A dishonest waiter who has abusively captured the information embossed on the front side of a credit card (Section 2.6.1) can impersonate the legitimate cardholder when ordering purchases by phone. Similarly, a hacker who has successfully recorded the financial data associated with a credit card sent over an insecure Internet connection can impersonate the legitimate owner of the card when participating in other electronic commerce transactions. The lack of reliable cardholder verification procedures in these types of transactions facilitates the possibility of fraud.

An attacker who has stolen or found a payment card or has produced a counterfeit card (Section 2.6.4) tries to impersonate the authorized cardholder when attempting to use the card for his convenience. If the stolen card is a credit card, the attacker can use it for making purchases in a shop, exposing him to some risk.

• When the transaction amount is below the upper floor limit and the service code does not indicate positive authorization by the issuer, then the issuer is not asked on-line for authorization. In this case the attacker must be skilled enough to mimick the legitimate cardholder's signature, which is the common cardholder verification method (see Appendix D, Section D.5.1) used for credit cards presented at an attended POS terminal. The attacker hopes that the shopkeeper makes only a cursory comparison between the forged signature and the witness signature on the back side of the card and that the issuer did not post the stolen card to the blacklist stored in the terminals (if this possibility exists). A blacklist is a database that stores the PAN of all cards that were reported stolen or lost, or which were abused in any other way and about which the issuer is aware.

• If the attacker aims for higher material returns over the upper floor limit, he faces additional risks. The attacker must rely on the assumption that at the moment when the authorization request is analyzed on-line by the issuer, the cardholder has not realized the theft/loss of the card and has not reported it to the issuer.

If the stolen card is a debit card or a credit card that allows for cash advance, there is a high probability that the attacker will try to impersonate the cardholder at an ATM for money withdrawal. In this case, the common cardholder verification procedure is based on the PIN verification.

• When the attacker has already spied the PIN (Section 2.6.1), the attack is successful if the card has not yet been reported to the issuer as stolen or lost.

• If the attacker did not record the PIN, there is still a small probability that he can guess the PIN (if the cardholder wrote it on the back side of the card, then guessing is not needed). This probability is higher when the number of digits in the PIN is small, the number of permitted wrong attempts is high, and the number of wrong attempts is not stored from one ATM session to another. This is the reason why a PIN is at least four digits, the number of attempts is limited to three, and the number of attempts left is either recorded on the magnetic track 3 or in the cardholder accounts database managed by the issuer. In this case the success probability of guessing is limited to 3 — 10 ^{ˆ’ 4} .

The PIN verification method applied to magnetic stripe cards is the PIN image verification method, which is described in Appendix D, Section D.5.2.

In case the issuer host performs the PIN verification, the terminal securely sends the PIN of the cardholder to the issuer host via the interchange system, using a communication channel that provides confidentiality. Upon receipt, the secure module of the issuer host retrieves the PIN from the cryptogram included in the authorization message. It then computes the PIN image control value and compares it against the PIN image stored value, which is kept in the cardholder accounts database. Every time the comparison fails, the counter of available PIN attempts, which is kept in the cardholder's record in the accounts database, is decreased. The counter is reset to the initial value of three attempts only after a successful PIN verification. The value of this counter is persistent from one session to another, such that an attacker cannot make more than three guesses.

If the terminal at the point of service performs the PIN image verification locally, two conditions have to be fulfilled:

1. First, the PIN image stored value is encoded on the magnetic stripe.

   • If only track 1 or track 2 is present on the magnetic stripe, the PIN image stored value can be recorded only during the personalization stage of the card among the items contained in the discretionary data field. This technique is decreasingly used since it prevents deployment of a user -selectable PIN different from the value generated by the issuer during the personalization of the card. This is because track 1 and track 2 cannot be written but just read, and therefore, updating the PIN image stored value computed in connection with a new PIN selected by the cardholder is not possible. For the same reason, there is no possibility of updating the counter of available PIN attempts on track 1 or track 2, which allows an attacker to perform more PIN guesses. For example, after two incorrect PIN submissions, the attacker interrupts the session at the current terminal and withdraws the card. Later, he reinitiates a new session and tries new PIN values either at the same terminal or at another terminal operated off-line.

   • If track 3 is encoded on the magnetic stripe of the card, local PIN verification is improved. Since track 3 can be written, the cardholder can choose for a different PIN than the one generated by the issuer at the personalization stage. The issuer can statically update the PINPARAM field on track 3 to reflect a new PIN image stored value, following, of course, a PIN changing procedure at a dedicated terminal in the issuer's premises. There is also the possibility of updating the counter of available PIN attempts left, which is stored in the field retry count on track 3. Thus, the number of possible PIN guesses is limited to the initial value of the retry count, which will be reset by the terminal only after a successful PIN verification.

2. Secondly, the terminal has to be able to compute locally the PIN image control value to be compared against the PIN image stored value read from the magnetic stripe. When the PIN image is computed with a message authentication code (MAC), the acquirer and the issuer must have a bilateral business agreement through which they have exchanged the necessary keys for the computation of the MAC. This limits the interoperability of the payment application, and this is one more reason why track 3 is used for national interchange.

A fraudulent transaction is considered any transaction where the user of the card is not the authorized cardholder. This definition includes all transactions using stolen cards, lost cards, or cards that were sent from the issuer but never received by the intended cardholder (card-not-received cards).

2.6.3 Static authenticator versus modifying financial data

Modifying the content of financial data stored on the magnetic stripe can help an attacker to mislead the authorization process, especially when authorization is carried out locally at the point of service.

Any field of a magnetic track can be a target for the attacker; however, the following attempts are most common:

• If an attacker has found an expired card that was not destroyed by the cardholder but rather negligently thrown away, he would try to extend the expiration date of this payment card. In this way, he could further bill on behalf of the legitimate cardholder ” assuming the account related to the PAN is still active.

• Let us consider the scenario where the attacker has stolen a payment card but did not succeed in spying the PIN of the cardholder. In this case, the target of the attacker could be to modify the service code such that the PIN verification in connection with a service is not required.

• If track 3 is encoded on the magnetic stripe, the attacker could try to modify the amount remaining this cycle field to extend the spending limits and the cycle begin parameter to increase the frequency of spending.

To avoid the modification of financial data stored on track 1 or track 2, the issuer computes for each track during the personalization stage a static authenticator using the MAC-based static data authentication (SDA) mechanism (see Appendix D, Section D.6.1). This mechanism provides data authentication for the financial data stored on the magnetic stripe. The effective input data used to compute this MAC value is specific to each issuer. The static authenticator is stored among the items of the discretionary data field and has the same value during the whole lifetime of the card, since data on these tracks cannot be written.

If the magnetic stripe encodes the financial data on track 3, there are data items that can be statically changed by the issuer during the lifetime of the card, when the card is operated at a specialized terminal. One such example is the PIN control parameters field (PINPARAM), which changes after the cardholder chooses a different PIN. Correspondingly, the issuer updates the value of the static authenticator stored on the magnetic stripe each time financial data has changed on the card. The static authenticator can be encoded among the data items in the discretionary data subfield of the additional data field.

There is other financial data on track 3 that can be dynamically changed on the card by the terminal at the point of service, including the cycle begin field, the amount remaining this cycle field, and the transaction date field reflecting the last date when the cash dispense operation was performed. To enforce the authenticity of this data, a supplementary static authenticator can be computed at the point of service, which is dynamically updated in the CCD filed stored on track 3. To this end, each issuer must provide acquires participating in the interchange with appropriate cryptographic material for the computation and verification of the corresponding MAC.

The static authenticators mentioned above are intended for protecting the authenticity of financial data stored on the magnetic stripe. A static authenticator can be also computed for the financial data embossed on the card and printed on the back side of the card. This authenticator is printed in the tamper-resistant band that displays the witness signature of the cardholder. When ordering by phone, the cardholder is required to read the value of this authenticator from the back side of the card in addition to the financial data embossed on the front side of the card. The operator at the merchant's site could further request a specialized service of the acquirer that can assess whether the financial data of the card is authentic or not.

2.6.4 Timeliness versus card counterfeiting

Counterfeiting money has been a threat ever since coins emerged as a means of exchange in commercial transactions. When coins were made of precious metals (such as gold or silver), biting the coin was the way one verified its authenticity. This would work regardless of the authority that issued the coins, since their value was intrinsically covered by the weight of the precious metal. Later coins were made of common metals and their value was guaranteed by an authority that stored a reserve in precious metals, whose value was equivalent to the value of the monetary mass in circulation. In this case, counterfeiting involved the replication of the head and tail artwork embossed on the two faces of a coin, which were the distinctive signs of the authority issuing the coins and guaranteeing their value. As cash evolved to paper banknotes, more and more attention was paid to embedding in their physical structure enough distinctive authenticity shapes (known as watermarks) to make them distinguishable from possible counterfeits.

The proliferation of payment cards has also exposed financial institutions to risk from counterfeiting. Counterfeiting cards is a threat that consists of impersonating the origin of financial data as coming from a genuine card, while in fact an emulator providing the same functionality as the card and cloning the content of its financial and authentication data is used instead. This emulator is referred to as the counterfeit card.

The earliest attempts of card counterfeiting targeted the embossed financial data. The attacker produces a matrix that allows falsifying the artwork on the front and back sides of the card, including the position and dimension of the embossed and printed characters . Through eavesdropping (Section 2.6.1), the attacker obtains a set of financial data that will be embossed on the counterfeit cards. The attacker impersonates the legitimate cardholder (Section 2.6.2) and tries to make a purchase at an attended point of service that has no electronic terminal. To prevent such kinds of attack, a hologram specific to the card association brand, which is easily recognizable by an operator at the point of service, is embedded in the plastic card. This security protection provides a visual means for checking the authenticity of the card at the point of service.

The successful passing of a counterfeit card in a payment transaction is more difficult if the point of service is equipped with an electronic terminal. The attacker has to emulate the magnetic stripe and its content that corresponds to a genuine card. To this end, the attacker collects transaction receipts negligently thrown away by the cardholders. The attacker attempts to reconstruct the content of the financial data stored on the genuine card and to encode it on the fake magnetic stripe. A simple protection against this threat is to avoid printing all the financial data stored on the magnetic stripe on the transaction receipts. Moreover, during the personalization stage of the payment card or even during its lifetime, the issuer computes and stores a static authenticator on the magnetic stripe (Section 2.6.3), which could serve as a cryptographic watermark.

Certainly, this measure becomes inefficient if a fake ATM captures all of the data on the magnetic stripe, including the static authenticator and the CCD field. In this case, the attacker can completely clone the genuine magnetic stripe. If the cardholder does not realize that the ATM was a fake, but only that it was out of service, it can take some time before she notices the damage to her account. The attacker uses the PIN learned by eavesdropping with the corresponding counterfeit card, which reproduces the financial data captured from the matching genuine card, for making ATM money withdrawals.

The presence of track 3 on the magnetic stripe can provide an extra protection against counterfeiting. If the transaction at the point of service is always authorized on-line by the issuer, an efficient timeliness mechanism (see Appendix C, Section C.1) based on random numbers can be implemented. At the personalization time the issuer records a random number in the card security number field on track 3. The same number is recorded in connection with the card in the cardholder accounts database. Every time a transaction is authorized on-line, the card security number is compared against the stored value. If the two values are equal, the issuer host performs the authorization process, otherwise the authorization is aborted, and the card is considered counterfeit. If the authorization process is continued , the issuer host sends back a fresh random number in the authorization response, which is correspondingly updated in the cardholder accounts database. At the point of service the terminal dynamically updates this value in the card security number. If a counterfeit card is produced and operated, the card security number of either the genuine card or of the counterfeit card will lose its synchronization with the value stored in the cardholder accounts database, which will lead the issuer host to blacklist the card. The financial loss is limited to the number of transactions executed with the counterfeit card until the moment the genuine card is used once again. Unfortunately, this kind of protection works only for a payment card that uses track 3.

2.6.5 Merchant attacks and colluding attacks

Merchants can mount themselves or can collude with stronger organizations in some of the attack scenarios described in the previous sections.

Within the category of eavesdropping attacks (like those described in Section 2.6.1), the merchant can mount waiter attacks in face-to-face transactions or can abuse the financial information gathered from customers during electronic commerce transactions and stored in the merchant's Web server. Colluding with a strong criminal organization, the merchant can facilitate attacks using fake or modified terminals, towards tapping both the financial data stored on the cards as well as the PIN of the cardholders. This information would allow the production of counterfeit cards (see Section 2.6.4), which used in combination with the PIN, can grant to the attacker complete control over the cardholder's account.

The merchant can also collude with the attacker in mounting impersonation attacks like that described in Section 2.6.2. When a credit card is stolen, the merchant can facilitate the task of the attacker by not performing the cardholder verification method. The merchant does not compare the signature produced by the attacker with that of the legitimate cardholder, which is recorded on the back side of the card. The merchant can also facilitate the use of counterfeit cards, deliberately skipping all the visual controls of the authentication artwork foreseen on the front side of the card (see Section 2.6.4).

The payment system operator, however, can easily monitor the activity of the merchant. The merchant can be included on a violation list if suspicious activity is detected at his point of service:

• A large percentage of the counterfeit or fraudulent transactions is traced back to his point of service;

• The ratio of the transactions rejected on-line from the total number of on-line authorizations requested to the issuer is high;

• The number of transactions where the financial data is captured manually is high, considering that the point of service is equipped with an electronic terminal;

• The monitoring software of the payment system detects multiple authorization requests linked to the same PAN or multiple authorizations requiring the same amount, regardless of the account to which they are linked;

• A high number of authorization requests are noticed, compared to the average number of authorizations characterizing that point of service.