Explore the vulnerabilities and failures of EMV smartcard payment systems in this Black Hat conference talk. Delve into the history of EMV implementation, its theoretical security benefits, and the practical challenges that have led to increased fraud. Examine fascinating attack vectors, including supply chain Trojans, protocol flaws enabling PIN bypass, and exploitation of freshness mechanisms. Analyze the governance and regulatory issues contributing to these security shortcomings. Learn about specific attacks like the "preplay" method, which mimics card cloning and undermines tamper-resistant electronics. Gain insights into the complex interplay between vendors, banks, merchants, and regulators in the EMV ecosystem. Understand the broader implications of these security failures as EMV technology expands globally, particularly focusing on its rollout in the United States.
Overview
Syllabus
Intro
The EMV protocol suite
Concept of operations
Fraud history, UK
Attack the crypto
Attack the optimisations
What about a false terminal?
Attacks in the real world
A normal EMV transaction
Blocking the 'No-PIN' attack
Card Authentication Protocol
CAP attacks through wicked shops
The preplay attack
Back end failures too...
Attack scale
Broader lessons
Taught by
Black Hat
