Payment systems. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2015

Similar documents
Payment systems. Tuomas Aura T Information security technology

Payment systems. Tuomas Aura T Information security technology. Aalto University, autumn 2012

Electronic Payments Part 1

Electronic Payments. EITN40 - Advanced Web Security

Securing Card-Not-Present Transactions through EMV Authentication. Matthew Carter and Brienne Douglas December 18, 2015

A Guide to EMV. Version 1.0 May Copyright 2011 EMVCo, LLC. All rights reserved.

Chip and PIN is Broken a view to card payment infrastructure and security

EMV: Integrated Circuit Card Specifications for Payment Systems

Electronic Cash Payment Protocols and Systems

Chip & PIN is definitely broken. Credit Card skimming and PIN harvesting in an EMV world

The Canadian Migration to EMV. Prepared By:

Cryptography: Authentication, Blind Signatures, and Digital Cash

Key Management. CSC 490 Special Topics Computer and Network Security. Dr. Xiao Qin. Auburn University

Formal analysis of EMV

An Analysis of the Bitcoin Electronic Cash System

Smart Cards for Payment Systems

M/Chip Functional Architecture for Debit and Credit

How To Protect A Smart Card From Being Hacked

Fundamentals of EMV. Guy Berg Senior Managing Consultant MasterCard Advisors

welcome to liber8:payment

Visa Recommended Practices for EMV Chip Implementation in the U.S.

Distributed Public Key Infrastructure via the Blockchain. Sean Pearl April 28, 2015

EMV and Small Merchants:

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

EMV : Frequently Asked Questions for Merchants

EMV Frequently Asked Questions for Merchants May, 2014

Preparing for EMV chip card acceptance

How Secure are Contactless Payment Systems?

Relay attacks on card payment: vulnerabilities and defences

EMV and Restaurants: What you need to know. Mike English. October Executive Director, Product Development Heartland Payment Systems

INTRODUCTION AND HISTORY

PCI and EMV Compliance Checkup

What Merchants Need to Know About EMV

Mitigating Fraud Risk Through Card Data Verification

Prevention Is Better Than Cure EMV and PCI

PayPass M/Chip Requirements. 10 April 2014

EMV: A to Z (Terms and Definitions)

Card Technology Choices for U.S. Issuers An EMV White Paper

EMV and Restaurants What you need to know! November 19, 2014

Bitcoin: A Peer-to-Peer Electronic Cash System

Why Cryptosystems Fail. By Ahmed HajYasien

Corbin Del Carlo Director, National Leader PCI Services. October 5, 2015

Securing the Payments System. The facts about fraud prevention

Introductions 1 min 4

Payments Transformation - EMV comes to the US

PCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.

Chip & PIN is definitely broken v1.4. Credit Card skimming and PIN harvesting in an EMV world

Heartland Secure. By: Michael English. A Heartland Payment Systems White Paper Executive Director, Product Development

Euronet s EMV Chip Solutions Superior Protection with Enhanced Security against Fraud

Using the Bitcoin Blockchain for secure, independently verifiable, electronic votes. Pierre Noizat - July 2014

Credit Card Processing Overview

Credit card: permits consumers to purchase items while deferring payment

toast EMV in 2015: How Restaurants Can Prepare for the New Chip-and-Pin Standard

EMV EMV TABLE OF CONTENTS

Figure 1: Attacker home-made terminal can read some data from your payment card in your pocket

SMARTCARD FRAUD DETECTION USING SECURE ONETIME RANDOM MOBILE PASSWORD

Consumer FAQs. 1. Who is behind the BuySafe initiative? 2. Why should I use a PIN? 3. Do all transactions need a PIN?

Guide to Data Field Encryption

JCB Terminal Requirements

Mobile and Contactless Payment Security

Emerging Trends in the Payment Ecosystem: The Good, the Bad and the Ugly DAN KRAMER

MOBILE CHIP ELECTRONIC COMMERCE: ENABLING CREDIT CARD PAYMENT FOR MOBILE DEVICES

Security Failures in Smart Card Payment Systems: Tampering the Tamper-Proof

Advanced Authentication

Stronger(Security(and( Mobile'Payments'! Dramatically*Faster!and$ Cheaper'to'Implement"

PREVENTING PAYMENT CARD DATA BREACHES

THE ROAD TO U.S. EMV MIGRATION Information and Strategies to Help Your Institution Make the Change

MasterCard PayPass. M/Chip, Acquirer Implementation Requirements. v.1-a4 6/06

What Issuers Need to Know Top 25 Questions on EMV Chip Cards and Personalization

CardControl. Credit Card Processing 101. Overview. Contents

EMV FAQs. Contact us at: Visit us online: VancoPayments.com

The World of Emerging Payment Systems A Brief Introduction

Using EMV Cards to Protect E-commerce Transactions

Overview of Contactless Payment Cards. Peter Fillmore. July 20, 2015

White Paper. EMV Key Management Explained

DEBIT and CREDIT CARDS

EMVCo Letter of Approval - Contact Terminal Level 2

Understand the Business Impact of EMV Chip Cards

Pima Federal Visa Credit Cards Frequently Asked Questions (FAQs)

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Acquirer Device Validation Toolkit (ADVT)

A Guide to EMV Version 1.0 May 2011

bi on Solution white paper

Payment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc.

Be*PINWISE Cardholder FAQs

Web Payment Security. A discussion of methods providing secure communication on the Internet. Zhao Huang Shahid Kahn

Security in Electronic Payment Systems

Payments Fraud: It's Not Fun & Games

Banking Security Architecture

Enhancing Payment Card Security New Measures to be Phased in from 2 nd Quarter 2010 to 1 st Quarter 2011

Steps for staying PCI DSS compliant Visa Account Information Security Guide October 2009

Transcription:

Payment systems Tuomas Aura CSE-C3400 Information security Aalto University, autumn 2015

Outline 1. Card payment 2. (Anonymous digital cash) 3. Bitcoin 2

CARD PAYMENT 3

Bank cards Credit or debit card features Card number, card holder, expiration date, CVV2 Magnetic stripe Chip in integrated circuit card (ICC) Contactless (NFC) interface Card holder signature Hologram PIN Terminal types Point of sale (POS) Automated teller machine (ATM) = cash machine [Picture: www.korttiturvallisuus.fi, Nets Oy] 4

Historical mag-stripe bank cards Outdated technology but good to know for comparison Magnetic stripe contains card number, holder name, expiration date, service code, PVKI, PVV, CVV1 CVV1 is a cryptographic MAC of the PAN, name, expiration and service code (based on 3DES) It is possible to copy but not change the mag stripe data PIN is a function of data on mag stripe and a secret key offline PIN verification at disconnected POS or ATM Offline terminals have a security module to store the card and PIN verification keys Service code: e.g. Visa Electron 121 where 2=online only CVV2 to make online fraud harder 3-4 digits printed on card but not on mag stripe Required for card-not-present transactions (web and phone) Verified but not stored by merchant safe from server hacking Vulnerable to phishing, though 5

Mag-stripe Visa PIN verification Input from magnetic stripe: Primary account number (PAN) i.e. 15-digit card number PIN verification key indicator (PVKI, one digit 1..6) PIN verification value (PVV, 4 decimal characters) Verifier must have PIN verification key (PVK, 128-bit 3DES key) PVKI is an index of PVK to enable key updates for PVK Create security parameter (TSP): 1. Concatenate 11 rightmost digits of PAN, PVKI and PIN 2. The 16-digit concatenation is one hexadecimal DES block PVV generation: 1. 3DES encryption of TSP with the key PVK 2. Decimalization of the encryption result to 4-digit PVV This slide is not important but fun to know Decimalization happens by taking the 4 leftmost digits 0..9 from the hexadecimal encrypted block If less than 4 such digits, take 4 first digits A..F and map A=0,B=1,C=3 [For details see IBM] 6

Chip-and-PIN bank cards EMV standard (Europay, Mastercard, Visa) Smart card chip (ICC) on the bank card Tamperproof ICC stores the private key for cryptographic (RSA) signatures Card also contains a certificate Online vs. offline PIN verification Online: PIN sent to card issuer for verification Offline used mainly for credit, online for debit Online vs. offline authorization Cash withdrawal from ATM always online Some cards, e.g. Visa Electron always online 7

Offline transactions Three levels of secure offline transactions: 1. Static data authentication (SDA): Certificate verification only; no longer used in Finland because the certificate can be copied 2. Dynamic data authentication (DDA): Card signs a random challenge sent by terminal with RSA; terminal verifies certificate and signature Currently main offline payment method 3. Combined DDA and application cryptogram (CDA): Card signs transaction details incl. random challenge Card holder is authenticated with PIN or signature PIN usually sent to the card, which answers yes/no Offline risk parameters on the card limit offline transactions 8

Contactless (NFC) payment Fast DDA (fdda) optimized signed message for contactless transactions No PIN verification Risk parameters for maximum offiline use After a certain number of transactions and total amount of money spent, an online contact transaction with PIN is required Soft and hard limits: after soft limit, online transaction is preferred but not required Hard limits prevent some uses, e.g. busses Picture: visa.ca 9

EMV security issues Not possible to copy the chip Mag stripe can still be copied Possible to create a copy of the mag stripe, which cam still be used in the USA or as the fallback method after (pretended) chip failure Mag stripe data can also be read from the chip PIN used more frequently easier to capture Shoulder surfing, skimming, malicious payment terminals 10

ANONYMOUS PAYMENTS 11

Anonymous digital cash David Chaum 1982, later DigiCash product never launched Participants: bank, buyer Alice, merchant Bob 1. Bank issues coin Bank 3. Bob deposits coin Never really used but influential idea: every anonymous payment system will need to consider the same requirements Alice buyer 2. Alice spends coin Bob merchant Issuing and spending events unlinkable by bank and merchant: Not transferable, must be deposited to bank after one use Uses blind signatures: bank signs coins without seeing them Double-spending detection 12

Blind signature Idea 1: blind signature: Bank has an RSA signature key pair key (e,d,n) for signing 1 coins (and different keys for 10, 100,...) 1. Alice creates a coin from random serial number SN and redundant padding required for the RSA signature; Alice generates a random number R, computes coin R e mod n, and sends this to the bank 2. Bank computes (coin R e ) d mod n = coin d R mod n and sends this to Alice 3. Alice divides with R to get the signed coin coin d mod n Bank has signed the coin without seeing it and cannot link the coin to Alice Alice can pay 1 to Bob by giving him the coin Bob deposits coin to bank; bank checks signature and only accepts each coin once Double-spending: Buyers are anonymous; if someone pays the same coin to two merchants, who was it? 13

Double-spending detection Idea 2: double-spending detection with secret splitting Alice computes SN = h( h(a,c) h(a xor Alice,D) ) where A,C,D is a random number After Alice has given the coin to Bob for bind signing, Bob decides which it wants to see: either h(a,c),a xor Alice,D or A, C, h(a xor Alice,D) Bob can check that the values are correct by recomputing SN Neither choice reveals the name Alice, but together they do In double spending, Alice reveals her name with 50% probability Make each 1 coin of k separately signed sub-coins double-spender name revealed with probability p = 1-2 -k Coins will be quite large: k=128 with 2048-bit RSA signatures makes 32kB/coin One more problem: What forces Alice to compute SN correctly? How can the bank check the contents of the message that it signs blindly? 14

Idea 3: cut and choose Cut and choose Alice creates k pairs of sub-coins for signing Bank asks Alice to reveal N for one sub-coin in each pair and signs the other one probability of detecting malformed coins is p = 1-2 -k Alice can make anonymous payments but will be caught with probability p = 1-2 -k if she tries to create an invalid coin or spend the same coin twice 15

BITCOIN 16

Background info: hash chain Record 1 New data Record 2 Record 3 Record 4 Hash h1 Hash h2 Hash h3 h4 New data New data New data h1=h(data1,0) h2=h(data2,h1) h3=h(data3,h2) Cumulative hash of data Backward-linked list, with a hash value as the unambiguous reference to the previous records Verifying that some data is in the chain costs O(N) Appending a data item costs O(1), but updating the hash costs O(N) if earlier data changes 17

Background info: Merkle tree Binary or n-ary tree of hash values Verifying the presence of data costs O(log N) both for computation and communication Adding new data or updating old data costs O(log N) h18 (root) h14 h58 h12 h34 h56 h78 h1 h2 h3 h4 h5 h6 h7 0 data data data data data data data 18

Bitcoin Created in 2008 by pseudonym Satoshi Nakamoto Transferable digital money Based on cryptographic signatures and hash functions P2P system, no central bank or trusted issuer Fair, competitive mechanism for the initial issue Money distributed in proportion to waster CPU power Amount of money in circulation capped Supposedly similar to gold (is it?) Max 21 million BTC Coins can be subdivided to 0.00000001 BTC Is it anonymous? 19

Bitcoin transaction Direct transactions between public key pairs: Transaction record contains (1) inputs, (2) outputs Input info: (a) references to the previous transactions i.e. when did the payer(s) receive this money, (b) payer signature(s) Output info: (a) payee public key hashes, (b) transfer amounts Total inputs from previous transactions must be total outputs h in: references to previous transactions out: public key hashes, amounts BTC Payers signatures 0.1 BTC 0.01 BTC PK1 PK2 History of signed transactions proves who has the money now Need to know the complete history of all transactions ever! Questions: How to bundle received small outputs, or get change for a large input? What happens if the outputs inputs? Who stores the history and checks the signatures? 20

Transaction history Transaction A in: references to previous transactions out: 0.2 BTC to PK4 PK1 signature Transaction B in: references to previous transactions out: 0.1 BTC to PK4 PK2 signatures Transaction C in: references to previous transactions out: 0.03 BTC to PK5; 0.03 BTC to PK6 PK3 signature Transaction D in: references to transactions A, B and C out: 0.33 BTC to PK7 PK4 and PK5 signatures Transaction E in: reference to transaction C out: 0.01 BTC to PK7 0.015 BTC to PK8 PK6 signature To transaction fees 0.005 BTC (what is left over) Transaction F in: references to transactions D and E out: 0.34 BTC to PK9 PK7 signature PK8 Unreclaimed 0.015 BTC PK9 has this money now Unreclaimed 0.34 BTC PK8 has this money now PK9 21

Double spending Transaction A in: references to previous transactions out: 0.1 BTC to PK2 Transaction B in: reference to transaction A out: 0.1 BTC to PK3 PK2 signature? PK2 Transaction C PK1 signature in: reference to transaction A PK4 out: 0.1 BTC to PK4 PK2 signature PK3 How to prevent double (or over) spending? 22

Public transaction log Public transaction log of all past transactions: Log of all transactions ever made including the signatures Updated every 10 minutes, on the average Used to check for double spending Block chain: public chain of log entries, updated every 10 minutes Block contains hash of the previous block and Merkle hash of new transactions The latest block is, in effect, a hash of all transactions ever Log size grows over time Q: Who can be trusted to maintain the log? A: global P2P network h Block k-2 hash of block k-3, Merkle hash tree of new transactions, time, nonce, and other info h Block k-1 hash of block k-2, Merkle hash tree of new transactions, time, nonce and other info h Block k hash of block k-1, Merkle hash tree of new transactions, time, nonce, and other info 23

Mining Anyone can add blocks to the block chain To do so, you must perform proof of work i.e. solve a cryptographic puzzle with adjustable difficulty, which requires you to do a brute-force search Find a nonce (any number) such that the SHA-256 hash of the block is smaller than a target value h( block header, nonce ) target 256-bit value The first to find a solution gets a reward and everyone moves to search for the next block The difficulty of the next block is adjusted to keep the predicted block generation time at 10 minutes Issuing coins The reward for generating a new block is new BTC (currently 25 BTC per bock) this is how the coins are initially issued! Transactions may also include a small transaction fee to encourage mining eventually the only reason to mine 24

Security of the block chain Block k Block k+1 Block k+2 Block k+1 Block k+2 Block k+3 Block k+4 Double spending detection depends on the block chain not branching Client software always chooses the longest branch if many are available After receiving the payment, sellers publish the transaction to the P2P network and wait until 6 new blocks include it (~1 hour) then the transaction is complete If someone controls more than 50% of the global hash rate, they can double spend 25

Bitcoin philosophy Anonymous transactions like cash money? Not exactly: input and output linkable, unlike in DigiCash Signature keys own money, not users Digital equivalent of gold: Limited supply on earth Cannot be controlled or inflated by a government Opposition to current monetary policy (quantitative easing) Potential problems: Exchange rate volatility Unlike gold; competing electronic currencies are easy to create Max transaction rate ~21M BTC / hour, 60-minute latency Security based on wasting hardware and energy in hash computation Security reduced if there are many such currencies (mining capacity can move around) Favorite currency for drug trade and other crime but maybe this is why it will succeed? Tax authorities will be interested Market bubble? 26

Possible security issues No way to reverse transaction without the payee s cooperation Block chain branching, double spending Should to wait 60 minutes or more to confirm a transaction Software bugs Bank robbery by hackers Malware attacks against wallets Police and government attempts to control Silk Road raided by FBI in Oct 2013 Competing digital currencies are easy to create and could be mandated 27

Why would anyone use Bitcoin? Even the most dysfunctional money is better than not having a means for economic exchange 28

Reading material Ross Anderson: Security Engineering, 2nd ed., chapter 10 Interesting reading online: University of Cambridge Security Group: http://www.cl.cam.ac.uk/research/security/banki ng/ BitCoin wiki: https://en.bitcoin.it/wiki/main_page 29

Exercises What are the main threats in a) online card transactions? b) POS transactions? c) ATM cash withdrawals? What differences are there in the way credit cards and bank debit cards address these threats? Could you (technically) use bank cards or credit cards a) as door keys? b) as bus tickets? c) for strong identification of persons on the Internet? (This question may require quite a bit of research.) How could a malicious merchant perform a man-in-the-middle attack against chipand-pin transactions? When a fraudulent bank transaction occurs, who will suffer the losses? Find out about the regulation and contractual rules on such liability. Bank security is largely based on anomaly detection and risk mitigation. In what ways could a bank reduce the risk of fraud in mag-stipe or chip-and-pin payments? Even though DigiCash coins are unlinkable, what ways are there for the merchant or bank (or them together) to find out what Alice buys? Find a Bitcoin block explorer web site with the full transaction record and browse around. Find the latest blocks and transactions, and the first block ever. See how the mining difficulty has changed over time. 30

The course ends, what next? CSE-C3400 - Information Security (Tuomas Aura, period I) soon done! T-110.5241 - Network Security (Tuomas Aura, period II) CSE-E5480 - Mobile Systems Security (N. Asokan, spring) T-110.5102 - Laboratory Works in Networking and Security (spring) T-110.6220 - Special Course in Information Security P (mainly spring) T-79.4502 - Cryptography and Data Security (Kaisa Nyberg, autumn) T-79.5501 - Cryptology P (Kaisa Nyberg, spring) CSE-E5000 - Seminar on Software Systems, Technologies and Security (autumn) CSE-E5000 - Seminar on Software Systems, Technologies and Security (spring) ELEC-E7470 - Cybersecurity L (Jarno Limnell, spring) CSE-E5002 - Special Assignment in Software Systems, Technologies and Security 31

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information