A software hole in the credit card system will be open for years to come, according to MasterCard. The card payment system is too diverse and too complex to fix the issue overnight.
Security researchers are urging credit card providers to fix a so-called skimming hole in their electronic payment protocol through which criminals can harvest PIN codes that can be used, along with stolen cards, to empty bank accounts. Last March security researchers presented a proof of concept to exploit the hole at the CanSecWest security conference.
The skimming hole was found in the Europay, MasterCard and Visa (EMV) standard, a global standard for interoperation of bank cards that incorporate built-in chips. Criminals can use the security flaw to steal PIN codes, which in combination with stolen credit cards that work with the codes, can be used to rob the owners' bank accounts.
This is done by placing a so called shim, a small circuit board, into a point-of-sale (POS) terminal to catch and store the PIN code. The shim can do that because the PIN is not encrypted but is exchanged in plain text between the card and the terminal.
EMVCo, the organization that is responsible for the payment standard, announced last May the hole will not be fixed.
Fixing the hole is not necessary, EMVCo argued, because the security risk is relatively low. The company pointed out that a skimmer still needs to steal a credit card to use with the stolen PIN. It is not yet possible to clone the EMV chips that are used in the cards.
While EMVCo won't say why it won't fix a hole in its own payment system, Jan Lundequist, senior business leader, head of chip product management and VP at MasterCard, is willing to explain why the hole is virtually impossible to repair: The EMV system is simply too complex for an easy fix.
"Why are we not able to solve this right away? There is a very simple explanation for that," Lundequist said in a phone interview late last month, in which he emphasized that he can only speak for MasterCard and not for other organizations.
The hole can be fixed for the more secure Dynamic Data Authentication (DDA) cards that can handle encryption. This was done in the Netherlands by the local electronic payment authorities. DDA cards, however, are heavily outnumbered by older, less sophisticated Static Data Authentication (SDA) cards that cannot handle encrypted PIN transactions.
"In the EMV MasterCard accepting network we have close to 20 million EMV point of sales terminals around the world, and close to 600 million EMV cards. Many of them actually do not even support the more modern offline encrypted PIN protocol the Dutch cards are using. So they still rely either on plain text PIN or on signature, simply because that's the historical legacy and the security risk-versus-cost trade-off," he said. That trade-off was made more then 10 years ago.
This means that MasterCard and the other companies that manage the EMVCo protocol -- Visa, American Express and JCB International -- are not able to fix the issue in their own system in the near future.
"In the short term there is nothing we can do about it," said Lundequist. He points out that every country has its own ways of implementing the EMV system, and that older POS terminals cannot always handle new software or firmware.
To fix the issue a lot of terminals and credit cards would have to be replaced, a costly operation. "Let's say that it was technically possible, which I'm not convinced that it is in an easy way, it would still require in that theoretical scenario the modification of all terminals world wide", Lundequist said. The security of the EMV protocol will improve, but it will be a gradual and slow process, he said.
Lundequist furthermore points out that there are many other ways to harvest someone's PIN code, like shoulder surfing. He reckons the hole in the EMV protocol is a far more sophisticated way to steal a PIN, and therefore it is not really likely to be exploited. "I think that is an incredibly important distinction. The main objective of EMV in this context is to combat counterfeiting of cards. Of course all types of frauds need to be combated, but we need to look at it in that context."