2

Would chip-and-PIN have prevented the Target breach?

As we all know, Target was breached and the hackers stole lots of credit card numbers. Target is now advocating for chip-and-PIN, as a way to provide better security for credit cards. This makes me wonder. If chip-and-PIN had been in place, would it have prevented the breach? Or would the attack still have been possible (merely forcing the attackers to shift their methods slightly)? Is this just PR, or would chip-and-PIN have made a significant difference against the kind of attack seen in the Target breach?

Recall that, in the Target breach, the attackers were able to compromise Target's point-of-sale terminals: not just one of them, but all of them. Is chip-and-PIN secure in that threat model, where the attacker controls the point-of-sale terminals?

Does it depend upon whether credit cards contain both a chip and a magstripe (for backwards compatibility with legacy systems), or if they contain just the chip (and no backwards compatibility)? My impression is that the way this gets deployed is: first we have credit cards that support both chip-and-PIN as well as a legacy magstripe; then after some period of time, when there is sufficient deployment of the chip-and-PIN terminals, then credit card companies might start providing credit cards that have only the chip but not the magstripe. Does that affect the analysis? For instance, is the answer that if credit cards had both the chip and the magstripe, then a compromised point-of-sale terminal can steal the credit card number and CVV off the magstripe nad then clone the card, but if credit cards had only a chip, then they couldn't?

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • Isn't the target breach based upon compromised terminals? In which case, no amount of encryption on the card itself will help. What would be interesting to find out is where the original infection occured, since the POS machines must have been connected to a machine that must've been exposed to the malware. It's either going to be infected media like usb, or through the web. If it's the latter, then it's fairly certain someone else out there has got it. – mincewind Dec 19 '14 at 09:26

2 Answers2

7

That depends on what you mean by "prevented".

EMV is only used for transactions where both the card and the cardholder are present; it wasn't designed to improve the security of card not present (CNP) transactions. This has some implications on what an attacker can do with stolen credit card data.

Physical transactions

If all merchants and cards were using EMV exclusively today, then the stolen magstripe data would be worthless for physical transactions – there would simply be no opportunity to use a cloned magstripe.

EMV transactions are active in the sense that there is a "conversation" between the card's chip and the issuing bank, mediated by the terminal. Basically, the bank asks the card to sign the transaction details using a cryptographic key that never leaves the card. Making a copy of an EMV card is therefore assumed to be impossible. (Magstripe cards are passive in that anybody who knows the contents of the magnetic stripe is able to authorize transactions; it is trivial to create a duplicate of such a card.)

Unfortunately, EMV is widespread, but still not ubiquitous; as long as there is a single remaining magstripe-only ATM or merchant on the planet, cards will continue to be equipped with a magnetic stripe, and skimming will continue to be a problem.

Remote (CNP) transactions

The problem is that the credit card details on the magnetic stripe can also be used for CNP transactions in some cases. CNP transactions usually require the card number, cardholder name and expiry date; all those values are stored on the magnetic stripe as well. To address this problem, card networks have designed the CVC2/CVV2; a number that is only printed on the card, but not included in the magnetic stripe data.

However, not all merchants use that value – for example, Amazon (at least in my country) doesn't require it. Thus someone performing a card skimming attack would be able to use the captured card details to make fradulent purchases at any online or phone/mail order merchant that doesn't require the CVC2/CVV2.

lxgr
  • 4,094
  • 3
  • 28
  • 37
2

Doesn't seem so.

Quote from Brian Krebs' article The Target Breach, By the Numbers (emphasis mine):

0 – The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach (without end-to-end encryption of card data, the card numbers and expiration dates can still be stolen and used in online transactions).

Tyler Szabo
  • 256
  • 2
  • 4
  • 1
    That's very interesting. I'd be interested in seeing the technical details/analysis to explain/justify that statement. Meanwhile, on a comment thread, a commentator states that the card number is not given to the terminal (only an Authorized Request Cryptogram (ARQC), which is an encrypted message that can be decrypted by the acquirer). I'm struggling to reconcile these two statements. I wonder it depends upon whether chip-and-PIN is used in a backwards compatible way (with both a magstripe and chip and the card) or if the card has just the chip but not a magstripe any longer? – D.W. May 24 '14 at 06:33