4

I came across this question Offline brute-forcing of a bank card PIN, which was asked 7 years ago. I'm currently exploring vulnerabilities in EMV protocol, and I wanted to double check if an idea I had in mind is viable. I came across a paper written in 2013, titled Risks of Offline Verify PIN on Contactless Cards, which describes a scenario where an attacker can try to guess a smartcard's PIN code if they are in NFC range. The attacker would use an offline reader which sends to the card a VERIFY_PIN command. Note here that the reader will terminate the transaction every time the remaining attempts to enter the PIN is 1. So theoretically, if the card allows 3 attempts in total, the attacker can make 2 guesses at a time, and then reset the transaction.

Detailed attack steps as described in paper And since all this is happening offline, nobody will detect that the card is being attacked. A brute force approach will require 10000 attempts, and with the help of some probabilistic analysis, the guesses can be made in a more educated manner (e.g. using birthdays etc.). Good folks at Cambridge have put in effort to illustrate that there is in fact a trend in terms of people picking predictable PINs A birthday present every eleven wallets? The security of customer-chosen banking PINs.

In this case the paper recommends that the VERIFY_PIN command be omitted from the possible commands sent to an NFC card, so that the attacker cannot issue this command to the card to begin with, and since it isn't really necessary, because NFC transactions usually involve small amount and many don't even require a PIN verification. Nevertheless, my question remains: is such a setup viable for contact transactions (physically inserting the card in the terminal)? There have been attacks previously mentioning a Man-in-the-middle that intercepts a transaction and fools the card into thinking there is no PIN required. So why not try a random PIN twice, and then intercept the transaction by resetting it? Has this idea been discussed in the literature? Is there a solution for it in the EMV protocol?

OrangeJusticeV
  • 111
  • 5
  • So now you have the pin, then what? I'm curious how would you leverage this knowledge. Also the short range of NFC makes it even more difficult. – nethero Oct 07 '20 at 21:47
  • Well, the typical man-in-the-middle attack (aka wedge attack) uses a stolen card and performs a transaction by by-passing the PIN verification. If, by the logic I'm following, this attacker can "guess" the PIN by brute force, can't he just simply use the card normally (with successful PIN verification) to make transactions? The paper I mentioned for the NFC case could actually complete the attack in a couple of seconds, so it might not really be so far-fetched to eventually guess the PIN... – OrangeJusticeV Oct 07 '20 at 22:03

1 Answers1

4

EMV has PIN Try Counter. Failed offline PIN attempt decrements the counter and remains persistent across sessions. So even if you cancel the transaction after 2 failed attempts, it won't reset the counter. Next time when you will reinsert the card you will only have one attempt left.

Before VERIFY_PIN is issued, PIN Try Counter is retrieved by GET DATA command. If the value of PIN Try Counter is zero before verifying the PIN, terminal will go for online PIN verification as next supported cardholder verification method (CVM).

Nowadays online PIN verification is mandatory because of custom cardholder PIN. In some cases where terminal cannot go online, then only terminal chooses offline PIN verification as next supported CVM. Offline PIN can be updated with the post-issuance command by Issuer-to-Card Script Processing whenever a next transaction will be online.

Online PIN is sent with transaction authorization request to the issuer. The authorization response from the issuer contains transaction approval/rejection and optionally Card Status Update which can reset PIN Try Counter or can block the card.

Given that the person will enter the building on a regular basis and that the number of available PIN attempts is reset each time the payment card is used in a Point of Sale terminal or ATM, the attacker can have unlimited attempts to guess a card’s PIN.

I don't think this is possible today. Contactless cards have a threshold counter above which the next transaction has to be a contact payment or in some countries may still be operational in contactless mode with an online verification of the PIN code. (12:18)

EMV Contactless Book A, 5.9.3 - CVM Selection and Cardholder Verification

Methods that may be supported are online PIN and signature – offline PIN is not suitable due to the “card in field” timing issues.

Cardholder puts the card near to the PoS and pulls it back. Offline PIN verification will require the card to be remain in the field until PIN verification completes.

The specifications for contactless transactions specifically exclude the use of offline PIN verification (full details in [6] Book A section 5.9.3). Contactess offline PIN verification requires the PIN to be transmitted wirelessly to the card which poses a security risk from eavesdropping. Surprisingly many of the contact- less cards currently in circulation in the UK allow access to offline verify PIN.

This is completely out of specification if UK banks were/are allowing offline PIN without persistent PIN Try Counter and unlimited consecutive contactless payments.

EMV contact/contactless cards have 3-5 year validity. So modern NFC cards might be complying with the specifications, atleast in countries where NFC payment support has just arrived.

defalt
  • 6,231
  • 2
  • 22
  • 37
  • Thanks for the detailed answer. I had a follow up question, but I felt that it warranted a separate post by itself. Please refer to [Manually sending PIN Change/Unblock Command to IC card](https://security.stackexchange.com/questions/239306/manually-sending-pin-change-unblock-command-to-ic-card) if interested. – OrangeJusticeV Oct 08 '20 at 15:19