Most of South Africa’s banking cards make use of a chip and PIN system so that you can hand them over at the shops confident of your cards’ security, but just how secure is the transaction process really?
The cards themselves are quite safe, but they are only one half of any transaction – the other half is of course the point of sale systems they are swiped through. It is here where vulnerabilities lie, as there is a real possibility that security flaws can be introduced there during development.
But there is some good news for worried consumers: a South African research team has made a bit of a breakthrough when it comes to combating such flaws.
Almost every credit and debit card issued today can be classified as EMV (Europay, MasterCard and Visa), which is the global standard used to authenticate transactions between chip payment cards (with the rather fancy technical term of “integrated circuit cards”) on debit and credit cards, and a shop’s point-of-sale (POS) system.
If any security vulnerabilities have been introduced into the POS, either through malware or before it left the factory, you might be out of pocket sooner than you think – and this is where cyber security consultancy firm MWR InfoSecurity comes in.
After two years of research, the team has created an automated robot (which it calls a “fuzzer”) that can test for potential vulnerabilities in point-of-sale terminals without knowing the source code of the EMV kernel. In short, it can check for dodgy POS systems before they even leave the factory floor.
While there is no need to panic, or believe your recent shopping trips have definitely subjected your cards to POS systems full of security holes, it does bring into question the issue of security research in the retail industry, according to MWR InfoSecurity.
“Although the standard-defining EMV is in principle secure, our previous research proved that vulnerabilities can be introduced into the terminal-smartcard authentication procedure. So there is an urgent need to develop a structured and formal security evaluation approach to eliminate these potential vulnerabilities,” it explained.
MWR’s flaw-busting system uses a combination of hardware and software to evaluate the security integrity of a “device under test” (DUT), through the following process:
- Hardware has been designed that includes a robotic arm, that automates insertion and retraction of the emulated smart card by means of a linear actuator, that interfaces with a computer via USB and provides abstraction to the EMV communication stream
- A Python interface has been developed to facilitate control of the EMV fuzzer, in effect allowing on-the-fly monitoring and emulation of an EMV stream with the DUT
- Various predefined security tests formalise the security evaluation procedure
“In order to ensure the security and integrity of an EMV-enabled terminal, we need to test it against a multitude of response vectors which have not been accounted for in the design stages. It can test target terminals, without knowing the source code of the EMV kernel, for potential vulnerabilities in a fast, controlled and reproducible manner – ensuring the security of a device before it is released.”
The team will naturally be looking to make the tech available to other companies, so that the security of card payment systems the world over remain intact. Thanks to the company’s efforts, it will also be able to encourage more research on the security of EMV protocol implementations.
[Image – CC by 2.0/reway2007]