Securing Card-Not-Present Transactions through EMV...
Transcript of Securing Card-Not-Present Transactions through EMV...
![Page 1: Securing Card-Not-Present Transactions through EMV ...ece.gmu.edu/.../F15_presentations/Session_1_Secure_Payments/2_EMV.pdfSecuring Card-Not-Present Transactions through EMV Authentication](https://reader030.fdocuments.net/reader030/viewer/2022021511/5ac2ee9b7f8b9a333d8b8484/html5/thumbnails/1.jpg)
Securing Card-Not-Present Transactions through EMV
Authentication
Matthew Carter and Brienne DouglasDecember 18, 2015
![Page 2: Securing Card-Not-Present Transactions through EMV ...ece.gmu.edu/.../F15_presentations/Session_1_Secure_Payments/2_EMV.pdfSecuring Card-Not-Present Transactions through EMV Authentication](https://reader030.fdocuments.net/reader030/viewer/2022021511/5ac2ee9b7f8b9a333d8b8484/html5/thumbnails/2.jpg)
Outline
• Problem
• Card-Not-Present (CNP) vs. PayPal
• EMV Technology
• EMV CNP Experiment
• Summary
• Questions
![Page 3: Securing Card-Not-Present Transactions through EMV ...ece.gmu.edu/.../F15_presentations/Session_1_Secure_Payments/2_EMV.pdfSecuring Card-Not-Present Transactions through EMV Authentication](https://reader030.fdocuments.net/reader030/viewer/2022021511/5ac2ee9b7f8b9a333d8b8484/html5/thumbnails/3.jpg)
• Types of Payment CardsoDebitoCredit
• In 2014, over 13 million Americans were victims
Source: Aite Group, “EMV: Lessons Learned and the U.S. Outlook,” June 2014
Problem: Payment Card Fraud (1)
![Page 4: Securing Card-Not-Present Transactions through EMV ...ece.gmu.edu/.../F15_presentations/Session_1_Secure_Payments/2_EMV.pdfSecuring Card-Not-Present Transactions through EMV Authentication](https://reader030.fdocuments.net/reader030/viewer/2022021511/5ac2ee9b7f8b9a333d8b8484/html5/thumbnails/4.jpg)
• U.K. was early adopter of EuroPay, MasterCard, and VISA (EMV) technology
• Counterfeit cards (Cloning) decrease
• Card-Not-Present (CNP) fraud has sharp increaseo Purchases over interneto Purchases over phone
Problem: Payment Card Fraud (2)
![Page 5: Securing Card-Not-Present Transactions through EMV ...ece.gmu.edu/.../F15_presentations/Session_1_Secure_Payments/2_EMV.pdfSecuring Card-Not-Present Transactions through EMV Authentication](https://reader030.fdocuments.net/reader030/viewer/2022021511/5ac2ee9b7f8b9a333d8b8484/html5/thumbnails/5.jpg)
150
170
190
210
230
250
270
290
310
330
350
2005 2006 2007 2008
Car
d-no
t-Pr
esen
t Fra
ud lo
sses
in
mil
lion
s of
pou
nds
The UK Cards Association
Problem: Payment Card Fraud (3)
![Page 6: Securing Card-Not-Present Transactions through EMV ...ece.gmu.edu/.../F15_presentations/Session_1_Secure_Payments/2_EMV.pdfSecuring Card-Not-Present Transactions through EMV Authentication](https://reader030.fdocuments.net/reader030/viewer/2022021511/5ac2ee9b7f8b9a333d8b8484/html5/thumbnails/6.jpg)
• “Secret” card data provides transaction authorizationo Card numbero Expiration Dateo Etc.
• Third party passively viewing can repeat transaction
Traditional CNP Transactions
![Page 7: Securing Card-Not-Present Transactions through EMV ...ece.gmu.edu/.../F15_presentations/Session_1_Secure_Payments/2_EMV.pdfSecuring Card-Not-Present Transactions through EMV Authentication](https://reader030.fdocuments.net/reader030/viewer/2022021511/5ac2ee9b7f8b9a333d8b8484/html5/thumbnails/7.jpg)
• Man-in-the-middle-proxy (mitmproxy)
• Checkout Serviceo 127.0.0.1 GET
https://api.stripe.com/v1/tokens?email=testemail…&card[number]=4242+4242+4242+4242&card[cvc]=151&card[exp_month]=6&card[exp_year]=2016&card[name]=testemail…
CNP Attack
![Page 8: Securing Card-Not-Present Transactions through EMV ...ece.gmu.edu/.../F15_presentations/Session_1_Secure_Payments/2_EMV.pdfSecuring Card-Not-Present Transactions through EMV Authentication](https://reader030.fdocuments.net/reader030/viewer/2022021511/5ac2ee9b7f8b9a333d8b8484/html5/thumbnails/8.jpg)
Existing CNP Alternatives
• PayPal• User card information
encrypted on PayPal Servers
• Payment transactions done via tokenization
• Sniffed SSL traffic reveals some user information leakedo Account details
encrypted prior to transmission
![Page 9: Securing Card-Not-Present Transactions through EMV ...ece.gmu.edu/.../F15_presentations/Session_1_Secure_Payments/2_EMV.pdfSecuring Card-Not-Present Transactions through EMV Authentication](https://reader030.fdocuments.net/reader030/viewer/2022021511/5ac2ee9b7f8b9a333d8b8484/html5/thumbnails/9.jpg)
• Chip-and-PIN• EMV provides “Card Verification
Technologies”o Static Data Authentication (SDA)o Dynamic Data Authentication (DDA)o Combined DDA & Application cryptogram
(CDA)
EMV Technology
![Page 10: Securing Card-Not-Present Transactions through EMV ...ece.gmu.edu/.../F15_presentations/Session_1_Secure_Payments/2_EMV.pdfSecuring Card-Not-Present Transactions through EMV Authentication](https://reader030.fdocuments.net/reader030/viewer/2022021511/5ac2ee9b7f8b9a333d8b8484/html5/thumbnails/10.jpg)
• Private RSA key used for signature generation
• Provides Public Certificates o Card Certificateo Issuer Certificate
Card Signature
Issuer Public
Certificate
Certificate Authority
Public Certificate
Verified By
Verified By
EMV Dynamic Data Authentication (1)
![Page 11: Securing Card-Not-Present Transactions through EMV ...ece.gmu.edu/.../F15_presentations/Session_1_Secure_Payments/2_EMV.pdfSecuring Card-Not-Present Transactions through EMV Authentication](https://reader030.fdocuments.net/reader030/viewer/2022021511/5ac2ee9b7f8b9a333d8b8484/html5/thumbnails/11.jpg)
Card Terminal
Generate SignatureTransmits dynamic data to be included in signature
Dynamic Data
Responds with signature Verifies signature
Signature
EMV Dynamic Data Authentication (2)
![Page 12: Securing Card-Not-Present Transactions through EMV ...ece.gmu.edu/.../F15_presentations/Session_1_Secure_Payments/2_EMV.pdfSecuring Card-Not-Present Transactions through EMV Authentication](https://reader030.fdocuments.net/reader030/viewer/2022021511/5ac2ee9b7f8b9a333d8b8484/html5/thumbnails/12.jpg)
• Force online transactions to run DDA for card verification
• Verify signature at remote location
• Verify payment card data is not susceptible to man-in-the-middle attack
EMV CNP Experiment
![Page 13: Securing Card-Not-Present Transactions through EMV ...ece.gmu.edu/.../F15_presentations/Session_1_Secure_Payments/2_EMV.pdfSecuring Card-Not-Present Transactions through EMV Authentication](https://reader030.fdocuments.net/reader030/viewer/2022021511/5ac2ee9b7f8b9a333d8b8484/html5/thumbnails/13.jpg)
EMV CNP Components
Client Machine Running Software
Smart Card Reader
Payment Card with Integrated
Chip
Server Machine Running Software
![Page 14: Securing Card-Not-Present Transactions through EMV ...ece.gmu.edu/.../F15_presentations/Session_1_Secure_Payments/2_EMV.pdfSecuring Card-Not-Present Transactions through EMV Authentication](https://reader030.fdocuments.net/reader030/viewer/2022021511/5ac2ee9b7f8b9a333d8b8484/html5/thumbnails/14.jpg)
Client and Server Machines
• Cliento Card Reader Softwareo Client HTTPS Software
• Servero XAMPP – Server Software• Apache• MySQL• Tomcat
o Java Servlets• Dynamic Data Generation• Card Signature Verification
![Page 15: Securing Card-Not-Present Transactions through EMV ...ece.gmu.edu/.../F15_presentations/Session_1_Secure_Payments/2_EMV.pdfSecuring Card-Not-Present Transactions through EMV Authentication](https://reader030.fdocuments.net/reader030/viewer/2022021511/5ac2ee9b7f8b9a333d8b8484/html5/thumbnails/15.jpg)
EMV CNP Steps
• Read Card
• Generate Dynamic Data
• Card Signature Generation
• Verification of Signature
![Page 16: Securing Card-Not-Present Transactions through EMV ...ece.gmu.edu/.../F15_presentations/Session_1_Secure_Payments/2_EMV.pdfSecuring Card-Not-Present Transactions through EMV Authentication](https://reader030.fdocuments.net/reader030/viewer/2022021511/5ac2ee9b7f8b9a333d8b8484/html5/thumbnails/16.jpg)
Read Card Step
------------------------------------------------
Send READ RECORD to read SFI 1 record 4
-------------------------------------
APDU: 00 b2 04 0c 00
Response Parsed:70 81 c3 -- Record Template
9f 46 81 b0 –ICC Public Key Certificate
55 ea 24 5f 3c da …
9f 47 01 –ICC Public Key Exponent
03
![Page 17: Securing Card-Not-Present Transactions through EMV ...ece.gmu.edu/.../F15_presentations/Session_1_Secure_Payments/2_EMV.pdfSecuring Card-Not-Present Transactions through EMV Authentication](https://reader030.fdocuments.net/reader030/viewer/2022021511/5ac2ee9b7f8b9a333d8b8484/html5/thumbnails/17.jpg)
Dynamic Data Generation
Sample output from Server:
![Page 18: Securing Card-Not-Present Transactions through EMV ...ece.gmu.edu/.../F15_presentations/Session_1_Secure_Payments/2_EMV.pdfSecuring Card-Not-Present Transactions through EMV Authentication](https://reader030.fdocuments.net/reader030/viewer/2022021511/5ac2ee9b7f8b9a333d8b8484/html5/thumbnails/18.jpg)
Card Signature Generation
77 73 -- Response Message Template Format 2
9f 4b 70 -- Signed Dynamic Application Data
46 f2 60 df …
Send INTERNAL AUTHENTICATE command
------------------------------------------------
Sending HTTPS request to url :https://mrc7d-pc/examples/getdyndata
Response Code : 200authenticationRelatedData = F69A603757096EC1B3
Command Bytes:
00 88 00 00 09 f6 9a 60 37 57 09 6e c1 b3 00
![Page 19: Securing Card-Not-Present Transactions through EMV ...ece.gmu.edu/.../F15_presentations/Session_1_Secure_Payments/2_EMV.pdfSecuring Card-Not-Present Transactions through EMV Authentication](https://reader030.fdocuments.net/reader030/viewer/2022021511/5ac2ee9b7f8b9a333d8b8484/html5/thumbnails/19.jpg)
Card Signature Verification (1)
• Certificate Authority (CA) Public KeyoApplication Identifier (AID)oCA Public Key Index
• Issuer Public Key• Integrated Circuit Chip (ICC)
Public KeyoCard Public Key
![Page 20: Securing Card-Not-Present Transactions through EMV ...ece.gmu.edu/.../F15_presentations/Session_1_Secure_Payments/2_EMV.pdfSecuring Card-Not-Present Transactions through EMV Authentication](https://reader030.fdocuments.net/reader030/viewer/2022021511/5ac2ee9b7f8b9a333d8b8484/html5/thumbnails/20.jpg)
Sample output from Server:
Card Signature Verification (2)
![Page 21: Securing Card-Not-Present Transactions through EMV ...ece.gmu.edu/.../F15_presentations/Session_1_Secure_Payments/2_EMV.pdfSecuring Card-Not-Present Transactions through EMV Authentication](https://reader030.fdocuments.net/reader030/viewer/2022021511/5ac2ee9b7f8b9a333d8b8484/html5/thumbnails/21.jpg)
Sample output from Server:
Card Signature Verification (3)
![Page 22: Securing Card-Not-Present Transactions through EMV ...ece.gmu.edu/.../F15_presentations/Session_1_Secure_Payments/2_EMV.pdfSecuring Card-Not-Present Transactions through EMV Authentication](https://reader030.fdocuments.net/reader030/viewer/2022021511/5ac2ee9b7f8b9a333d8b8484/html5/thumbnails/22.jpg)
Summary
• EMV deployment known to mitigate card-present fraud; does nothing for card-not-present (CNP) transactions
• Attempts to secure CNP payments with dynamic data authentication (DDA) using RSA key pair proved successful
![Page 23: Securing Card-Not-Present Transactions through EMV ...ece.gmu.edu/.../F15_presentations/Session_1_Secure_Payments/2_EMV.pdfSecuring Card-Not-Present Transactions through EMV Authentication](https://reader030.fdocuments.net/reader030/viewer/2022021511/5ac2ee9b7f8b9a333d8b8484/html5/thumbnails/23.jpg)
Questions