The EMV Standard: Break, Fix, Verify

EMV is the international protocol standard for smartcard payment and is used in over 9 billion cards worldwide. Despite the standard's advertised security, various issues have been previously uncovered, deriving from logical flaws that are hard to spot in EMV's lengthy and complex specification, running over 2,000 pages. We formalize a comprehensive symbolic model of EMV in Tamarin, a state-of-the-art protocol verifier. Our model is the first that supports a fine-grained analysis of all relevant security guarantees that EMV is intended to offer. We use our model to automatically identify flaws that lead to two critical attacks: one that defrauds the cardholder and another that defrauds the merchant. First, criminals can use a victim's Visa contactless card for high-value purchases, without knowledge of the card's PIN. We built a proof-of-concept Android application and successfully demonstrated this attack on real-world payment terminals. Second, criminals can trick the terminal into accepting an unauthentic offline transaction, which the issuing bank should later decline, after the criminal has walked away with the goods. This attack is possible for implementations following the standard, although we did not test it on actual terminals for ethical reasons. Finally, we propose and verify improvements to the standard that prevent these attacks, as well as any other attacks that violate the considered security properties. The proposed improvements can be easily implemented in the terminals and do not affect the cards in circulation.

[1]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[2]  Stéphanie Delaune,et al.  A Symbolic Framework to Analyse Physical Proximity in Security Protocols , 2018, FSTTCS.

[3]  Budi Arief,et al.  Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards Without the PIN , 2014, CCS.

[4]  Andrew D. Gordon,et al.  Verified Interoperable Implementations of Security Protocols , 2006, CSFW.

[5]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[6]  Joeri de Ruiter,et al.  Formal Analysis of the EMV Protocol Suite , 2011, TOSCA.

[7]  Kevin Fu,et al.  Vulnerabilities in First-Generation RFID-Enabled Credit Cards , 2007, Financial Cryptography.

[8]  Cas J. F. Cremers,et al.  Operational Semantics and Verification of Security Protocols , 2012, Information Security and Cryptography.

[9]  Cas J. F. Cremers,et al.  A Comprehensive Symbolic Analysis of TLS 1.3 , 2017, CCS.

[10]  David Naccache,et al.  When organized crime applies academic results: a forensic analysis of an in-card listening device , 2015, Journal of Cryptographic Engineering.

[11]  Ralf Sasse,et al.  A Formal Analysis of 5G Authentication , 2018, CCS.

[12]  David A. Basin,et al.  Know Your Enemy: Compromising Adversaries in Protocol Analysis , 2014, TSEC.

[13]  David A. Basin,et al.  The TAMARIN Prover for the Symbolic Analysis of Security Protocols , 2013, CAV.

[14]  Sjouke Mauw,et al.  Distance-Bounding Protocols: Verification without Time and Location , 2018, IEEE Symposium on Security and Privacy.

[15]  David Chaum,et al.  Distance-Bounding Protocols (Extended Abstract) , 1994, EUROCRYPT.

[16]  Andrea Ciardulli,et al.  Long Distance Relay Attack , 2013, RFIDSec.

[17]  Steven J. Murdoch,et al.  Keep Your Enemies Close: Distance Bounding Against Smartcard Relay Attacks , 2007, USENIX Security Symposium.

[18]  Yvo Desmedt,et al.  Identification Tokens - or: Solving the Chess Grandmaster Problem , 1990, CRYPTO.

[19]  Gavin Lowe,et al.  A hierarchy of authentication specifications , 1997, Proceedings 10th Computer Security Foundations Workshop.

[20]  Burkhard Stiller,et al.  An NFC Relay Attack with Off-the-shelf Hardware and Software , 2016, AIMS.

[21]  Mike Bond,et al.  Chip and Skim: Cloning EMV Cards with the Pre-play Attack , 2012, 2014 IEEE Symposium on Security and Privacy.

[22]  Gerhard P. Hancke,et al.  Practical Relay Attack on Contactless Transactions by Using NFC Mobile Phones , 2011, IACR Cryptol. ePrint Arch..

[23]  Josef Langer,et al.  Cloning Credit Cards: A Combined Pre-play and Downgrade Attack on EMV Contactless , 2013, WOOT.

[24]  Ben Smyth,et al.  Modelling and Analysis of a Hierarchy of Distance Bounding Attacks , 2018, USENIX Security Symposium.

[25]  Mike Bond,et al.  2010 IEEE Symposium on Security and Privacy Chip and PIN is Broken , 2022 .

[26]  Rolando Trujillo-Rasua,et al.  Post-Collusion Security and Distance Bounding , 2019, CCS.

[27]  Stéphanie Delaune,et al.  Symbolic Verification of Distance Bounding Protocols , 2019, POST.

[28]  David A. Basin,et al.  Automated Analysis of Diffie-Hellman Protocols and Advanced Security Properties , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[29]  Tom Chothia,et al.  Relay Cost Bounding for Contactless EMV Payments , 2015, Financial Cryptography.