Analysis of the real security of IPC operations

[Tomcat]

For more than 5 years, the banking world has been in the process of migrating to smart card technology. It is difficult to call friendly migration to a chip, but nevertheless, as of October 2008, MasterCard, VISA and JCB payment systems issued about 730 million EMV cards, which were serviced in 9.9 million EMV-compatible POS-terminals.

EMVCo data on the number of EMV-cards and terminals at the beginning of 2009

are presented in the table below. 6.8.

Tab. 6.8. EMVCo data on the number of EMV-cards and terminals at the beginning of 2009

Region	Share of EMV cards	Share EMV POS	Share of EMV ATM
The whole globe	22%	37%	19%
Europe	50%	68%	54%

At the same time, in 2008 the number of microprocessor cards increased by about 56%, POS-terminals - by 83%, ATMs - by 68%.

The main results of the migration to the technology of microprocessor cards were achieved mainly by the efforts of European countries, as well as the countries of the Asia-Pacific region, where about 3 times fewer microprocessor cards were issued than in Europe, and the countries of Latin America (about 9 times fewer microprocessor cards were issued than in Europe). In Europe at the beginning of 2009, every second card contained a microprocessor, and more than two thirds (68%) of all terminals were capable of working with them. This in turn means that approximately 34% of all non-cash purchases in Europe (0.5 * 0.68 = 0.34) were made at the beginning of the year using smart card technology.

The main incentive for banks to migrate to a chip continues to be the increased security of card transactions. Undoubtedly, the microprocessor allows raising the security level of card transactions to a qualitatively new level. The results of the migration to the new technology are a good confirmation of this. Countries that have migrated to the chip have seen a significant drop in fraudulent card fraud. In countries where Chip & PIN technology is used, the volume of “stolen / lost / not received cards” fraud has also significantly decreased.

The purpose of this paragraph is to assess the real security of transactions with microprocessor cards in today's conditions, and also to tell about the next steps taken by payment systems in order to increase the security of card transactions. We emphasize that we are talking about assessing the safety of operations in today's conditions, characterized by the following features:

• uneven migration to the chip in different countries / markets;
• the hybrid nature of microprocessor cards containing both a magnetic stripe and a chip;
• the presence of a significant number of terminals that do not support chip technology (approximately 2/3 of all terminals);
• the presence of a significant number of terminals that are unable to support cardholder verification using the PIN Offline method;
• the fact that a significant proportion of emitted microprocessor cards do not support dynamic offline authentication of the card application (SDA cards).

These features will be described in more detail below, but for now let's dwell on the existing threats to the security of operations for microprocessor cards. Based on the experience of payment systems and expert assessment, such threats from card issuance include:

• cloning of the magnetic stripe;
• chip cloning;
• CNP fraud;
• stolen / lost cards;
• virtual cloning of a chip card;
• modification of the dialog between the card and the terminal.

The main threats from card servicing include:

• introduction of a false MPS key at the terminal;
• replacement of the terminal in order to steal information about cards;
• replacement / modification of the terminal software;
• counterfeiting a point of sale such as a cryptogram in presentations.
• 6.6.1. Card issuance fraud

Let us dwell on the above-mentioned threats and methods of dealing with them in more detail. Let's start with the issue of microprocessor cards. The subject of our further research is a hybrid card containing both a magnetic stripe and a chip.

6.6.1.1. Cloning the magnetic stripe of a hybrid card

Everywhere below, we will call a terminal magnetic if it is capable of processing operations only on magnetic cards, and hybrid if it processes operations on magnetic and microprocessor cards. We will use similar definitions for plastic cards.

The cloning of the magnetic stripe of a hybrid card is understood as the procedure for fraudsters to create an analogue of a bank card (based on the data of a real card issued by some bank of the payment system) for the purpose of unauthorized use of this analogue (fake card) in the terminal network of the payment system using the technology of a magnetic stripe card. The ultimate goal of unauthorized use of an analogue of a card is for fraudsters to obtain material benefits (services, goods, money).

It is important to note that you can use an analogue of a bank card (fake card) in different ways depending on the situation. For example, a fraudster does not have any problems when using an analog of a hybrid card in a magnetic terminal. However, such a problem arises if a fraudster contacts the hybrid terminal with a counterfeit card. The hybrid terminal, having understood from the service code read from the magnetic stripe of the card, that the card contains a chip, must require an operation using chip technology. To get around this obstacle, fraudsters use additional measures, which will be discussed below. It is important to emphasize here that when it comes to cloning a card, it is about creating some kind of analogue of a real card, which can be successfully used for fraudsters in a certain set of terminals.

Obviously, in order to clone the magnetic stripe of a hybrid card, fraudsters first need to obtain data recorded on the magnetic stripe of some real card in order to subsequently transfer this data (possibly modifying it in a certain way) to a card blank intended to create a fake card. This data can be obtained in different ways. Some of them are listed below:

• skimming at POS terminals and ATMs;
• theft of data in communication channels;
• theft of magnetic stripe data from a POS terminal or PC.

One of the most common ways to steal real card data is skimming. Skimming is the process of unauthorized reading (reading and saving) of the magnetic stripe data of a real bank card by fraudsters. The information obtained as a result of skimming, possibly after a special transformation, is recorded by fraudsters on the magnetic stripe of the stolen / purchased card blank. As a result, the analogue of the card is ready for use.

There are many ways to skim. Let's briefly dwell on the most common methods.

The easiest way to skim is to use dishonest cashiers at retail outlets equipped with special pager-sized devices capable of reading and memorizing information stored on the magnetic stripe of the card.

ATM skimming has become popular in the new millennium. In this case, information on the data of the magnetic stripe is read and memorized using an overhead reader. Human participation at the time of information theft is most often not required. Moreover, placing an overhead keyboard on the ATM or installing a video camera next to the ATM, you can also steal the value of the cardholder's PIN.

At the beginning of 2009, a new type of ATM skimming was discovered in Russia, when malicious software installed by fraudsters on an ATM using a conventional portable flash memory device and physically easily accessible (including fraudsters ) USB port of the ATM system unit. The malicious software saved the card's magnetic stripe data, as well as the client's PIN, in a separate file. The PIN-code value was extracted by malicious software from the ATM HSM module, which, due to the specifics of its configuration, saved the current PIN-code value until the next transaction at the ATM began.

The stored information about the cards was encrypted in a malicious program and in encrypted form was either printed out on the ATM's receipt tape, or saved on the fraudsters' microprocessor card inserted into the ATM in the process of extracting the stolen card information. Card data encryption was used to protect the organizers of the scheme from fraudsters installing malware in ATMs and extracting stolen data from ATMs. To initialize the process of extracting the extracted information, the fraudsters used special cards, the numbers of which were generated according to a specific law and checked by malware before starting the process of unloading the stolen data.

Finally, some POS terminals and processing centers are another source of magnetic stripe data theft. In this case, the data necessary for cloning the magnetic stripe can be obtained not only from the magnetic stripe, but also from the chip. The fact is that the chip contains the information of the second track of the magnetic stripe (Track 2 Equivalent Data). This is done in order to ensure that the microprocessor card is accepted at the service bank's device operating in Partial Grade Acquirer mode, or to accept the microprocessor card issued by the Partial Grade Issuer. In addition, the presence of the Track2 Equivalent Data data element in authorization requests simplifies the adaptation of issuer and service bank host applications to the chip technology (Track2 Equivalent Data is a standard field in authorization requests,

The exchange of information between the microprocessor card and the reader is basically unprotected (only the PIN code can be encrypted), which allows fraudsters to receive the Track 2 Equivalent Data information they are interested in through terminals. The same applies to processing centers. It is possible to intercept an interhost message or a message from a terminal and easily extract information about the second track of the magnetic stripe from it. Recall that storing information about the second card track at terminals and processing centers is strictly prohibited by the PCI DSS standard. But no one doubts that not all terminals and processing centers meet this requirement. Therefore, it is sometimes possible to steal Track2 Equivalent Data from transaction log files / databases of terminals and processing centers.

To combat the theft of Track2 Equivalent Data chip data in terminals and PCs in order to further use this data for magnetic stripe cloning, leading payment systems have introduced the mandatory use of a separate CVC / CW value in the microprocessor application, called Chip CVC in the MasterCard system and iCW in the VISA system. ... This separate value is calculated according to the standard CVC / CW calculation algorithm with a service code value of 999. In MasterCard Europe, this innovation has become mandatory since January 1, 2008, in VISA CEMEA, since January 1, 2009 (recall that these regions apply Russia in MasterCard and VISA payment systems). Possibility

Chapter 6. FEATURES OF MIGRATION ON MICROPROCESSOR CARDS 457 The use of stolen Track2 Equivalent Data in Russia for magnetic stripe cloning remains possible only for cards issued before the above terms.

Note that using separate CVC / CW values in Track 2 Equivalent Data does not help to combat ATM skimming. Indeed, in the case of ATM skimming, the magnetic stripe data is intercepted at the stage of inserting the card into the ATM reader.

Obviously, cloning a magnetic stripe makes sense for fraudsters as long as there are magnetic cards and terminals in the world. Indeed, let us imagine two extreme cases. In the first case, all terminals in the world are hybrid. Then, on the magnetic stripe in normal mode (without using the fallback mode), only magnetic cards with a service code value of 1XX or 5XX can be processed in them. In the second extreme case, all cards are hybrid (the value of the service code of such cards is 2XX or 6XX). Such cards can be processed (with reservations, which will be discussed below) by magnetic stripe only in magnetic terminals.

Since the modification of the service code in most cases is beyond the power of fraudsters (the integrity of the code is protected by the use of CVC / CVC cryptographic values stored on the magnetic stripe of the card), then, indeed, a necessary condition for the expediency of cloning the magnetic stripe is the simultaneous use by banks of the payment system of magnetic cards and terminals. The following more general statement holds.

Cloning a magnetic stripe within a certain payment system will lose its meaning for fraudsters if and only if the following three conditions start to be met simultaneously:

• all cards of the payment system support the EMV standard;
• all terminals of the payment system support the EMV standard;
• the fallback mode on the magnetic stripe is prohibited in the payment system.

The sufficiency of the conditions of this statement is obvious. Indeed, if the microprocessor card comes into service in the hybrid terminal, then an attempt will be made to perform the operation using the technology of the microprocessor card. If the attempt is successful, the card will be processed by the chip and the cloned magnetic stripe of the card will not be used. If the attempt is unsuccessful, for example, due to incompatibility of the card and terminal applications, the transaction will be rejected, since the fallback mode to the magnetic stripe in the payment system is prohibited. And the newly cloned magnetic stripe of the card will not be required.

The necessity of the conditions of the assertion is also obvious. In order for the cloned stripe to be unclaimed, it is necessary that all transactions in the payment system are carried out using the technology of a microprocessor card. For all transactions to be carried out using chip technology, it is necessary that all cards in the system are microprocessor-based, and the terminals must be hybrid.

Let us prove the necessity of the last third condition. If it were not executed, then in the case of incompatibility of the card and terminal applications according to the current rules of payment systems, a fallback to the magnetic stripe would occur, and the transaction would be performed using the magnetic stripe technology. Thus, all three conditions of the statement made are necessary for our card world.

That is why, in order to combat counterfeit cards, payment systems are making significant (but, unfortunately, insufficient) efforts aimed at accelerating the process of banks' migration to the technology of microprocessor cards. To do this, in addition to working with banks and explaining the benefits of the new technology, payment systems use responsibility shifts and changes in interbank payments in favor of banks that have migrated to the chip.

Recall that the Chip Liability Shift means the following rule. If a card is serviced in a magnetic terminal and a “fake card” type of fraud occurs, and a microprocessor card is a real analogue of a fake card, then the responsibility for this fraud is shifted from the issuer of the microprocessor card to the servicing bank. In addition, payment systems have introduced Chip & PIN Liability Shift (see clause 6.3). Consistent with this shift in responsibility, if the microprocessor card is serviced at the POS terminal and at the same time:

• PIN Offline is the priority method of cardholder verification for this operation in accordance with the CVM List;
• The POS terminal does not provide PIN Offline verification for this operation, then the responsibility for fraudulent "lost / stolen / not received cards" is transferred to the servicing bank.

Unfortunately, shifts in responsibility today are not accepted in all regions of the leading payment systems and are carried mainly within MasterCard to J

regional character. The latter means that the liability shift rule is valid only when the servicing bank and the card issuer belong to the same region of the payment system. Exceptions to the intra-regional nature of the shift in responsibility are few. For example, to date, only Malaysia and Taiwan have joined the MasterCard Europe region for transactions performed with MasterCard cards (not Maestro!) In POS terminals.

A similar situation has developed in the VISA payment system. The shift of responsibility has been adopted in the regions Asia Pacific (AP), CEMEA, Europe, Latin American Countries (LAC) for all VISA card products. In 2010, Canada is expected to accept a liability shift. There is a Bilateral Liability Shift between Europe and CEMEA.

It should be noted that the “depth” of the shift in responsibility is also different in different regions. We can say that a full-fledged shift of responsibility in the MasterCard system takes place only in the MasterCard Europe region. Only in this region is the shift in responsibility accepted for all card system products and in all types of terminal devices (ATMs and POS terminals). For example, in the second region in terms of the size of migration to a chip - the Asia-Pacific region - a shift in responsibility occurred only for transactions performed with MasterCard cards in POS terminals. It does not apply to Maestro cards or ATM transactions.

Shift of responsibility Chip & PIN Liability Shift in the MasterCard system has been adopted so far only in the MasterCard Europe region.

In addition to the fact that the shift in responsibility is intra-regional in nature, migration itself is very uneven, and there are entire markets (for example, the world's largest card market, the United States), in which it did not actually start. Uneven migration leaves large islands on which magnetic technology is predominant and to which fraud migrates. The intra-regional nature of the shift in responsibility leads to the fact that chip issuers also suffer as a result of this migration of fraud. This situation cannot be called normal. The bank did everything that the payment system required of it - switched cards and terminals to chip technology, and nevertheless, it continues to suffer from fraud largely due to the fact that banks in other markets remain "magnetic". Obviously, payment systems,

It is easy to show that, given the intra-regional nature of the shift in liability, the level of fraudulent card fraud in terms of bank F's emissions, expressed in basis points, is determined by the expression:

F = (fja + f 2 b) (1 - A) 4- f 3 c (l - AB),

where A is the share of EMV cards of the bank in question, B is the share of terminals that accept EMV cards in regions “foreign” for the bank, f b f 2 , f 3 are, respectively, in-country, intra-regional and inter-regional levels of fraud with counterfeit cards, a, b, c - according to the likelihood that the bank card is used within the country, within the region and not in the country, outside the region. It is easy to see from the above formula that even if all bank cards are microprocessor-based (A = 1), the fraud level in terms of the bank's cards issue will generally not be zero due to the presence of the second term on the right-hand side of the expression for F.

Moreover, as experts predicted and current experience shows, for countries that have advanced in the process of migration to chip technology, the f 3 value increases, since for fraudsters the ability to perform an operation on a card with a cloned magnetic stripe (on a fake card) remains only in countries with poor developed infrastructure for receiving chip cards. As an illustration, according to APACS data in the UK from 2006 to 2008 the size of inter-regional fraud increased by 250%!

After the analogue of the card is made, it can be used by fraudsters in various ways. The easiest way is to use a counterfeit card in magnetic terminals.

6.6.1.1.1. Using a counterfeit card in a magnetic terminal

Obviously, when using a counterfeit card with a cloned magnetic stripe of a real hybrid card in a magnetic terminal, the fraudsters' chances of success are high: it is enough that the card is active and there are enough funds in the bank account associated with the card.

Today, ATMs are increasingly used as magnetic terminals for using magnetic stripe-cloned cards. It is clear that when using an ATM, it is enough to know the details of the second card track and the cardholder's PIN. At the same time, the analogue of the card can be made on white plastic, which makes life easier and cheaper for fraudsters.

To improve the security of cash withdrawals using microprocessor cards in magnetic ATMs, payment systems are considering the possibility of using the following types of protection:

• use of CVC2 / CW2 / CAP Token when performing ATM transactions in magnetic terminals;
• application of offline dynamic authentication of the card application in ATMs of servicing banks operating using magnetic stripe technology.

Obviously, the introduction of such technologies will require significant efforts from banks - they will have to modernize the applications on the ATM and, possibly, change the formats of authorization requests sent by the ATMs to the host of the serving bank. In this regard, servicing banks have a more correct alternative - to migrate to the technology of microprocessor cards.

In addition, payment systems for combating ATM fraud traditionally recommend banks to:

• speed up the migration of terminals and cards to a chip;
• use SMS-notifications of clients about their card transactions;
• take measures to protect PIN-codes at ATMs and POS-terminals.

Let's take a closer look at the theft of PIN-codes in POS-terminals. Despite the fact that terminal manufacturers assure us of implementing reliable mechanisms for protecting PIN codes on POS terminals, the number of cases of compromised PIN codes in these devices is growing rapidly. It is known that in 2006 Shell suspended accepting cards at its 600 terminals (out of 1000) due to the suspicion that some of these terminals were used to steal PIN codes and other card details. Later, in fact, it was confirmed that fraudsters, by agreement with the staff, modified PIN-PADs at three Shell filling stations in order to steal card data and PIN-codes of their holders.

Unfortunately, the fact that the terminal has passed certification for compliance with the PCI Pin Entry Device standard is not a sufficient condition to feel confident about the safety of PIN codes in such terminals. In particular, researchers from the UK have shown on several terminal models how by replacing only two or three internal components of the terminal, you can get a device completely controlled by fraudsters.

A feeling of concern is also left by the recently published data that in a number of POS-terminals made in China from several leading manufacturers, a "bookmark" left by fraudsters was revealed, with the help of which information about the card and the PIN-code of its holder was transmitted over the GSM-channel to the disposal of scammers. Moreover, the "bookmark" remotely (all over the same GSM channel) was controlled by fraudsters. It was possible to send the settings to the “bookmark” so that the latter retrieves only information of interest to the scammers, as well as send commands to unload the data copied by it to a specific address.

Finally, POS terminals are relatively inexpensive devices. Recently, portable models are increasingly used. Therefore, it is not difficult to replace the terminal with a special device capable of recording information of interest to fraudsters.

Below we will talk about the creation of special channels of interaction between the card and the terminal, which allow avoiding theft of PIN-codes (the so-called Customer Trustworthy Channel). Unfortunately, the possibility of using such channels is still under discussion, and a lot of time may pass before their mass implementation in practice.

6.6.1.12. Using a fake card in a hybrid terminal

In this case, the POS terminal must require the operation to be performed using chip technology, since the card service code is 2XX or 6XX and indicates to the terminal that the card supports chip technology, which has a higher priority than magnetic stripe technology. However, in some cases, the terminal application allows the cashier to bypass this IPS requirement, and as a result, the scammers have a chance of success.

However, such fraud can be successfully dealt with. The issuer of the MasterCard / Maestro chip card is recommended to reject transactions, in the authorization requests of which DE 61 (POS Data) indicates that the terminal can perform an operation on the chip, but conducts it along the magnetic stripe and at the same time the POS Entry Mode (DE22) is not equal to 80X (case of fallback to the magnetic stripe).

The issuer of a VISA chip card is recommended to reject transactions made in a POS terminal, in which the following conditions are simultaneously met:

DE22.1 = “90” or “02” (magnetic stripe read)

DE60.2 = “5” (chip capable terminal)

DE60.3 “1” (Fallback. No info about chip read error on previous transaction

in that terminal) or “2” (Fallback. There was chip read error on previous transaction in that terminal),

indicating that the POS terminal can perform an operation on the chip, but is conducting it on the magnetic stripe and not in fallback mode on the magnetic stripe.

However, even in the case when the terminal or the servicing bank is working correctly, and does not allow the cashier to conduct a transaction on the magnetic stripe with the service code 2XX / 6XX, fraudsters have at least two ways to succeed.

In the first method, the fraudster simply changes the service code on the magnetic stripe to 1XX or 5XX and expects to carry out the operation in the floor limit mode. Such a gap in the security of chip technology was considered by payment systems to be the most egregious (indeed, both the terminal is a hybrid and the card is microprocessor-based, but nevertheless cloning via a magnetic stripe is possible!). Therefore, in the regions of MasterCard Europe and VISA CEMEA, to which Russia belongs, it was decided that all transactions in online shed terminals on the magnetic stripe should be carried out only in real time, regardless of whether the card is microprocessor or magnetic. Note that this decision is still local in nature and has not been adopted in all regions of payment systems.

In the second method, the fraudster uses a blank with a certain personalized microcircuit (for obvious reasons, the author does not specify how the microcircuit can be personalized) and a magnetic stripe containing information copied from a real hybrid card. In this case, the blank will cost a little more (about 50 cents). But due to the special way of personalizing the microcircuit, the terminal, when processing the transaction, will decide to switch to the backup mode of mandatory online authorization via the magnetic stripe (the so-called fallback).

Above, we considered the possibility of using a magnetic stripe-cloned card in POS-terminals. It is even easier to use such a card at ATMs. In this case, when the card is inserted into the reader, it reads the magnetic stripe data and stores this data in its buffer. Based on the service code, the ATM understands that the card is a microprocessor-based one and makes an attempt to initiate a chip that is not actually on the card. As a result of a failed attempt to initialize the chip, the ATM believes that something is wrong with the microcircuit (unlike a POS terminal, in this case, no one can establish that the microcircuit is simply absent on the card). The ATM application retrieves the stored magnetic stripe data from the buffer so that it can fallback to the magnetic stripe.

Thus, the fallback mode can be actively used by fraudsters for dishonest purposes. This is what happens in life. According to MasterCard Europe, today the fallback rate in Europe is less than 2% (in 2007 - 3.2%, in 2006 - 4.8%). At the same time, about a third of all fallbacks to the magnetic stripe (according to VISA, a quarter of all fallbacks) are associated with fraud.

To combat false fallbacks, MasterCard has a policy of phasing out fallback as the level of card and terminal compatibility increases.

In particular, MasterCard Europe has made the following important decisions at various times.

• From January 1, 2007, the fallback to the magnetic stripe for transactions carried out in ATMs of MasterCard Europe banks is possible under the responsibility of the servicing bank.
• Since January 1, 2008, countries / regions have the option to opt out of fallback to magnetic stripe for transactions performed in POS terminals.
• From January 1, 2011, for SEPA countries, the fallback mode on the magnetic stripe for operations performed in POS terminals will be possible under the responsibility of the serving bank.

At the time of this writing, the VISA payment system did not plan to make similar decisions to refuse fallback, focusing on ensuring a high level of card acceptance.

6.6.1.2. Cloning a hybrid card chip

The cloning of a hybrid card chip is understood as the procedure for fraudsters to create an analogue of a bank card (based on the data of a real card issued by a certain bank of the system) for the purpose of unauthorized use of this analogue in the terminal network of the payment system using chip technology. Obviously, the scope of cloned cards is a subset of hybrid terminals.

Section 6.2 describes in detail how you can clone any SDA card (a card that supports static offline Static Data Authentication) in order to use it in offline authorization mode (online authorization using a cloned SDA card will be rejected). The card application data required to clone a real card by chip can be collected on specially prepared POS terminals or in devices similar to those used for cloning a magnetic stripe.

A sad feature of a properly made cloned SDA card is that the issuer cannot block it through the Issuer Script Processing procedure (an SDA card can only be blocked using stop lists at the terminal). A properly crafted cloned SDA card never takes part in online transactions at all. As soon as the terminal requests a real-time operation, the SDA card terminates the operation by denying its authorization.

The fact that an SDA card may require an offline PIN verification is also clearly not a limitation to successfully performing a clone fraud.

It should be noted that according to the data of payment systems, there have already been recorded cases of using cloned SDA cards from British banks in Portugal and Turkey. Payment systems pay due attention to the problem of cloning SDA-cards. Several years ago, payment systems introduced contingency plans (the so-called Contingency Plan) in the event of a massive compromise of SDA cards.

The large number of SDA cards on the market has led to the fact that floor limit values on terminals for smart card transactions with PIN Offline verification still do not take on infinite value (for example, for Maestro cards).

International payment systems have always recommended that banks use SDA cards primarily for online authorization. However, more definite decisions on this topic will be made in the near future. Effective January 1, 2011, all new microprocessor cards in MasterCard Europe and VISA Europe will be required to support Dynamic Offline Authentication (DDA, CDA) and will be prohibited from supporting SDA.

Special attention should be paid to the last decision (prohibition of SDA support), since in the VISA payment system there is still a requirement to support SDA for cards with dynamic offline authentication (obviously, in order to ensure high quality of card acceptance). According to MasterCard, in Russia at the beginning of 2009, about 80% of issued cards are cards with dynamic authentication that simultaneously support the SDA method.

In clause 6.2 it was said that in case of incorrect personalization, you can also clone a card with dynamic authentication, if this card additionally supports the SDA method (the card application, in particular, contains the Tag '93' Signed Static Application Data object). Incorrect personalization in this case means the absence on the card of a composite SDA Tag List data object containing a single AIP data object (Application Interchange Profile), which defines, in particular, the authentication methods supported by the card application. The integrity of the AIP object is ensured by the SDA Tag List data object on the map.

If there is no SDA Tag List on the card, then by modifying the AIP value of such a card to a value indicating that the card only supports static authentication, you can "create" an SDA card that will be successfully used in SDA mode when performing offline operations.

Thus, if the SDA method is supported by the card, the application must store the SDA Tag List data object! If the SDA method is not supported by the card application (including the absence of the Signed Static Application Data data object), it is not necessary to store the SDA Tag List on the card, but it is desirable. This is due to the fact that this data object contains other information critical for processing the transaction (for example, information about the card's support for verification methods of the cardholder and the need for the terminal to perform risk management procedures), which fraudsters can use in some situations.

The general direction of the struggle of payment systems against chip cloning is the transition to dynamic authentication methods (using DDA / CDA). In this regard, the leading payment systems have made the following important decisions.

• From January 1, 2011, in the MasterCard Europe and VISA Europe regions, new cards must support the DDA / CDA method (note that in France this rule is valid since January 1, 2007). In this case, the SDA method should not be supported on cards.
• From January 1, 2011, in all MasterCard regions, new hybrid offline capable terminals must support the CDA method (DDA has been supported since January 1, 2005; today more than 70% of terminals support CDA; in VISA, the issue of making such a decision has not yet been discussed) ...
• 6.6.1.3. CNP fraud

As analysts predicted, with the introduction of chip card technology, CNP fraud will skyrocket. In 2008, in Europe, this type of fraud accounted for about half of all fraud, and in the UK - 54% of all card fraud! This is twice the rate of fraudulent card fraud (27%). The latter type of fraud now occupies the second "honorable" place, although 5 years ago it was a confident leader: it accounted for about 35% of all card fraud.

The growth rate of this type of fraud is also impressive. In Europe, it has been about 20% per year over the past few years.

CNP fraud could be classified as cloning card details (card number and expiration date), which are the same for magnetic and hybrid cards. However, due to the importance of this type of fraud, it is discussed separately.

Today the leading payment systems recognize the only secure e-commerce protocol - 3D Secure (in the VISA payment system this protocol is promoted under the Verified by VISA brand, and in the MasterCard system - under the MasterCard SecureCode brand). According to experts, the widespread use of this protocol by merchants, servicing banks and card issuers will reduce fraud in e-commerce by at least 80%, bringing it to the level of 6-8 basis points.

At the beginning of 2008, an average of 12% of all e-commerce transactions in the world were carried out from online stores that support the 3D Secure protocol. Of these, in 28% of transactions, the cardholder was fully authenticated in accordance with 3D Secure (the protocol is supported on the cardholder's side). Thus, only 3.36% of all e-commerce transactions were performed with cardholder authentication in accordance with the 3D Secure protocol.

In Europe, the numbers look more optimistic. Here, in mid-2009, 40% of all e-commerce transactions were made from online stores that support the 3D Secure protocol. Of these, in 60% of transactions, the cardholder was fully authenticated in accordance with 3D Secure. Thus, 24% of all e-commerce transactions in Europe were carried out with cardholder authentication in accordance with the 3D Secure protocol.

To stimulate the implementation of the 3D Secure protocol, payment systems have introduced a liability shift called the Merchant Only Liability Shift, according to which, with the support of a merchant of the 3D Secure protocol, the issuer is liable for fraud related to the refusal of a cardholder to perform a transaction. In the VISA payment system, the shift in the responsibility of the Merchant Only Liability Shift is global. In MasterCard, the Global Merchant Only Liability Shift applies to all regions with the exception of the United States, where responsibility for the result of an operation with American banks' cards returns to the issuer only if 3D Secure is supported by all participants in the e-commerce transaction - the online store, the servicing bank and the holder card / issuer.

Recall that for CNP transactions without using a secure protocol, the service bank is liable for fraud. Thus, if a merchant uses the 3D Secure protocol, the normal distribution of responsibility is restored, which is typical for other types of payment transactions.

In clause 6.1.3, it was said that the most reliable way to authenticate a cardholder when using the 3D Secure protocol is to use one-time passwords generated using the CAP method, which allows to reduce the negative consequences of a man-in-the-middle attack. To implement the CAP method, the client must have a microprocessor card with an EMV application that supports PIN Offline, as well as a special reader capable of initiating the generation of an OTP password and displaying its value on the display.

In addition to the additional costs associated with providing cardholders with readers, another disadvantage of this approach is the fact that the client needs to come to the bank for the reader. In addition, in order to perform an operation, the reader must be at hand, which is not always convenient, since the dimensions of the device are much larger than the dimensions of a bank card, and such a reader does not fit in a wallet.

In this sense, cardholder authentication looks very attractive using a special application installed on the cardholder's cell phone and supporting the MMA protocol (see clause 6.1.3).

6.6.1.4. Stolen / Lost Cards

People have lost, are losing and will lose their cards. Sometimes in such cases, they claim that the cards were stolen. Sometimes this is true.

It is known that the most effective method to combat this type of fraud is to use a PIN check. In addition, one should not forget that PIN Offline card support today is a prerequisite for using the CAP authentication algorithm (MasterCard Chip Authentication Program and VISA Data Passcode Authentication). Therefore, the general trend in solutions of international payment systems is to force banks to more actively use the PIN-code check and especially the PIN Offline method, since it is universal for online and offline transactions. As a result, the payment systems made the following decisions regarding support for PIN verification.

• From January 1, 2008 in the VISA CEMEA region all online capable terminals must support PIN Offline, and online only terminals must support PIN Online if they do not support PIN Offline.
• From January 1, 2011, all new hybrid MasterCard terminals must support PIN Offline (over 70% of certified terminals already support PIN Offline).

The efficiency of using Chip & PIN technology is well illustrated by the example of the UK card market. In 2001, the level of Lost / Stolen fraud (L / S, stolen / lost cards) on the market of this country was 5.07 basis points, and in 2008 it dropped to 1.2 basis points! The main reason for the sharp drop in L / S fraud is the almost widespread introduction of Chip & PIN technology, which provides for the use of a PIN code to verify the cardholder when performing all transactions, including POS terminal transactions.

Indeed, the rate at which people lose their cards is weakly dependent on time and applied card technology. People lost cards with approximately the same frequency both in 2001 and in 2008, and will continue to lose them with the same rate in subsequent years. And if the card holder is not prone to absent-mindedness, malefactors will “help” him to “lose” the card.

However, in 2001, the stolen card could be immediately used in the trading network until the holder found it lost (migration to Chip & PIN began in the UK in 2004). In 2008, it was no longer so easy to do this in the UK (it was much less profitable for fraudsters to use a stolen card to perform CNP operations), since almost all POS terminals already accepted chip cards and required the holder to enter a PIN-code, which the fraudster usually didn't know.

As a result, fraudsters have to use a stolen British bank card in other countries where there are POS terminals that do not support Chip & PIN technology. As a result, fraudsters waste time, the client has time to come to his senses and block the card, and the L / S fraud level drops significantly!

How easy it is to estimate, if the Chip & PIN program had not been adopted in the UK at one time, the amount of losses from L / S fraud would have been about? 257 million in 2008 (excluding the NRI - Not Received Items fraud) at a level of 5.07 basis points. However, thanks to Chip & PIN, in 2008 the size of this type of fraud was only? 54 million!

At the same time, due to the widespread use of the PIN code and, as a consequence, the expanded possibilities of compromising its value (banal peeping, an overhead keyboard / video camera, installing malware into an ATM application, phishing / vishing, substitution of a POS terminal / PIN-PAD , bookmarks in POS terminals, attacks on HSM, etc.) in 2008, the losses of British banks from ATM fraud (ATM fraud) increased to? 46 million. For comparison: in 2001, losses of this type were so negligible, which were not even considered in the reports.

Thus, it can be argued that the use of Chip & PIN technology in 2008 allowed British banks to save at least £ 257 - (£ 54 million 4 £ 46 million) = £ 157 million (this did not take into account the reduction of NRI fraud)!

It should be emphasized that in order to achieve such an effect in reducing the size of “lost, stolen and unreceived cards” fraud, a friendly and fast migration of all banks to the Chip & PIN technology is required. It is in this case that a fraudster who takes possession of a card without a PIN code will have a “saving” delay for the cardholder in using it, associated with finding a suitable place to use the stolen card. This delay leads to a drop in the size of this type of fraud.

If the condition for fast and friendly migration of banks to Chip & PIN technology is not met (for example, in Russia), then the effect of migration of a separate bank to Chip & PIN technology may turn out to be exactly the opposite - both ATM fraud and L / S / NRI fraud will simultaneously grow.

6.6.1.5. Virtual cloning of a hybrid card

The attack discussed in this section is applicable to any card (SDA, DDA, CDA), including those supporting PIN Offline verification. The essence of the attack is as follows.

Fraudsters control the terminal in some trade and service enterprise (for example, in a restaurant). In addition, they manufacture a special microprocessor card that has a standard contact interface ISO 7816 and a radio interface operating in accordance with one of the communication protocols that provide communication at a distance from several tens of centimeters to several meters (for example, ISO 15693, ISO 18000). Using such a radio interface, the card can exchange data with special equipment, which, in addition to supporting communication with the card, provides the organization of a remote radio channel (for example, in accordance with the Wi-Max protocol (IEEE 802.16), see Fig. 6.4) with a terminal controlled by fraudsters.

A fraudster, armed with the card described above and special equipment, comes, for example, to a jewelry store and chooses a piece of jewelry worth € 2,000. At this time in the restaurant, the unsuspecting holder of the card, which he presents to the waiter to pay for the lunch, finishes his lunch. The waiter is an accomplice of our jewelry lover. He calls him and warns that he has a visitor's card in his hands.

Then the scammers act as follows. A fraudulent waiter inserts a visitor's card into a fraud-controlled terminal and enters the cost of the meal into the terminal. At the same time, a fraudster in a jewelry store hands over his counterfeit card to the cashier to pay for the jewelry, which the cashier inserts into the real terminal. Further, all the commands of the terminal installed in the jewelry store, through the fraudster's card, his special equipment and the fraudulent terminal, are transmitted to the real card of the gentleman who had dinner at the restaurant.

In this case, the responses of the real card to the commands of the real terminal along the same route, but in the opposite direction, are returned to the real terminal.

However, some commands require transformation of the data they contain. For example, if a real card requires a PIN check, then a fraudster in a jewelry store will enter a random sequence on the terminal. After the VERIFY command from the real terminal is transmitted to the fraudulent terminal, now this terminal will request the PIN-code from the real cardholder, who will enter it on the fraudulent terminal. Next, the fraudulent terminal will send the VERIFY command to the real card with the value of the PIN-code of its holder, and the card's response will be sent to the real terminal in the jewelry store.

Obviously, online processing of the operation is not a hindrance to the successful execution of the operation in the model described above. In this case, in response to the GENERATE AC command of the real terminal, the real card will generate an ARQC cryptogram, which will be returned to the jewelry store's terminal and transmitted through it to the issuer's host. On the contrary, the issuer's response containing the Issuer Authentication Data will be broadcast with the real card inserted into the fraudulent terminal.

As a result, the operation can end very sadly for the gentleman who dined in the restaurant. If he has sufficient funds in the account, € 2000 will be debited from the account. At the same time, the gentleman will receive a check for the cost of lunch and, most likely, will be in the dark about what happened until he receives a certificate of the state of his bank account.

The situation improves for the gentleman who dined at the restaurant, if the issuer of his card provides him with an SMS-notification service about completed transactions. But notifications are only effective for online transactions.

Wi-Max | (IEEE 802.16) |

A restaurant

Purchase amount: 20 euros

Real POS terminal

Fake card

Person 2

Jewelry store Purchase size: 2000 euros

Rice. 6.4. Virtual card cloning

If we analyze the fraud described above, it becomes clear that it turned out to be possible due to the lack of direct interaction (dialogue) between the cardholder and the card. Ideally, the holder would have to enter the transaction data directly onto the card, and the card (possibly with the connection of the issuer) would decide whether the holder can receive the service / product of interest or not. But between the holder and the card there is always an intermediary - the terminal, which is able to distort the information about the transaction in such a way that the card holder does not notice this during the processing of the transaction. This intermediary, among other things, can steal important information of the card, including the PIN-code of its holder.

It should be noted that the CDA method for dealing with data corruption by the terminal does not help, since it ensures the integrity of the information sent by the terminal, and does not verify the data sent by the terminal.

It is also clear that when it comes to a cryptogram as a means of proving the fact that the cardholder has performed an operation, it is understood that this is true up to the degree of confidence in the terminal in which the operation is performed.

The problem described above can be solved if it is possible to organize a direct reliable communication channel between the card and its holder (the so-called Customer Trustworthy Channel). This can be done in several ways. For example, you can provide a cardholder with a simple device that has a contact pad for a standard smart card on one side and a reader for working with a smart card on the other.

Such a device must have a screen and a keyboard. The screen is used to display the values of the size and currency of the transaction sent by the terminal to the card, and the keyboard is used so that the client can enter his PIN not on the terminal, but on a device that the cardholder trusts. In the proposed solution, the device must be able, on behalf of the terminal, to verify the cardholder by his PIN code in offline mode (PIN Offline), for which it must support the execution of the GET CHALLENGE and VERIFY commands.

In addition, the device must act as a buffer between the card and the terminal when processing the AC GENERATE command. Having received the command of the terminal GENERATE AC, the device memorizes the command data, extracts from them and displays the size and currency of the transaction on its screen. Only after confirming the values of these parameters by the cardholder (for example, by pressing the corresponding device button) the GENERATE AC command will be sent to the card application. Thus, the holder really controls the transaction size and currency values that the terminal sends to the card.

Obviously, the implementation of such a solution will not require changes to the EMV standard either on the card side or on the terminal side.

The disadvantage of the solution described above is the need to carry a special separate device with the card. To address this deficiency, recently appeared cards with a tiny digital screen (display equipped cards) and a keyboard, which, in fact, partly combine the functions of a card and a device.

For example, Emue Technologies (Figure 6.5) has created a card with an 8-character alphanumeric display, a 12-key keyboard, an embedded EMV chip with a contactless interface, and a battery that lasts more than 3 years. Today, the main purpose of such a card is to authenticate the cardholder when accessing the Internet bank and performing e-commerce operations. In the future, such cards will be able to act as a trusted device for the cardholder. It is also important that the cost and reliability of such cards does not hinder their widespread adoption.

Another possible solution to the problem under consideration is to use readers that perform two-factor authentication of the cardholder and generate a cryptographic token that is a function of the size, currency and transaction number (see clause 6.1.3). In that

Rice. 6.5. Microprocessor card from Emue Technologies, if the card application needs to check the value of the token. A separate key is used to generate the token, which is different from the card key for generating the cryptogram. The advantage of this method is that verification of the holder using a PIN code is also performed on terminals that do not have a PIN-PAD (this, by the way, is also true for the previously described security method). To implement the method, a slight change in the EMV standard is required.

Other options can be proposed, for example, when the role of the reader in the solution just described is played by a cell phone with a special MIDlet that calculates CAP Token transactions (CAP Token Mode 1).

All of these methods have one thing in common. The cardholder must have a device that he trusts (the device is issued by the cardholder's bank and is constantly under the control of the cardholder) and, possibly, contains some secret shared with the card application. The fact that the device is under the control of the holder allows us to hope that the values of the transaction size and the holder's PIN entered through it will not be modified / stolen.

Chapter 7 will discuss contactless mobile payments based on the NFC protocol. To make these payments, a cell phone is used with a banking application in its SIM card. In fact, the cell phone represents the first real-world example of a Customer Trustworthy Channel for an in-SIM banking application. This channel is not universal and is used only for contactless payments.

In addition, this Customer Trustworthy Channel has another disadvantage. The phone is not controlled by the bank and, due to its connection with the outside world, is susceptible to "pollution" with viruses that can steal the value of the bank's customer PIN. True, stealing the PIN will do little to help the fraudster, since he also needs the client's SIM card to commit fraud. It will also not work to clone the details of the mobile application to the magnetic stripe for the reasons described in more detail in clause 7.9.

6.6.1.6. Modification of the card and terminal dialog

Virtual card cloning is a clever example of modifying the card-terminal dialog. There are other simpler schemes for modifying the card and terminal dialogs that lead scammers to success. The simplest and most well-known scheme is the "two-chip scheme". In this scheme, fraudsters use a printed circuit board with two chips: one chip is a banking chip, and the other is an intermediary chip. The intermediary chip controls the exchange of data between the bank's chip and the terminal, modifying the dialog between the card and the terminal if necessary (for example, changing the transaction size, the result of the PIN Offline check, the Cryptogram Information Data value in response to the GENERATE AC command). The intermediary chip is also called a wedge device and it can be located not only on the card, but also on the POS terminal.

To protect the dialog between the card and the terminal, two methods are used:

• signature of security-sensitive static card data;
• CDA dynamic authentication method.

As detailed in 3.11.6, the essence of CDA is as follows. In response to the GENERATE AC command, instead of a cryptogram, a data object is placed, which is a signature made by the card application using the application's private asymmetric key. At the same time, a data set is signed, including objects IDN (ICC Dynamic Data), CID (Cryptogram Information Data), cryptogram, hash function from PDOL, CDOL1, CDOL2 data, response to CDOL1. Thus, the CDA method provides the terminal application with the ability to check the integrity of the CID and transaction details (transaction size, transaction currency, etc.). If the signature verification by the terminal fails, the transaction is rejected at the terminal level.

It is important to understand that the CDA method ensures the integrity of the transactional data exchange between the terminal and the card when processing the GET PROCESSING OPTIONS and GENERATE AC commands. The integrity of the data read by the terminal using the READ RECORD commands is ensured differently - using the mechanism of static signature of the most important application data, for example, Application Usage Control data objects, CDOL1, CDOL2, CVM List, AIP, etc.

If, for example, the CVM List object is not included in the list of data to be signed, then when it is read by the terminal, it can be modified using the wedge device. As a result, instead of the PIN Offline verification method, the usual signature of the cardholder will be used, which obviously reduces the security of transactions with such a card. A fraudster can use a stolen card in which the PIN

Offline is a priority method of cardholder verification, using its chip in the “two-chip attack” scheme and changing the CVM List value when the terminal reads data (we repeat, CDA does not protect the data integrity of the READ RECORD command).

There are two mechanisms for signing static data today:

• If the card application supports the SDA method, the application contains a separate data object that is the signature of the sensitive data of the application.
• if the card application supports offline dynamic authentication methods, the sensitive data is included in the card's public key certificate.

The CDA method has the following important limitations:

• the card key module, when using CDA, can be limited to the top by 205 bytes;
• if the terminal does not have the system key used to create the key certificate of the card issuer, then all operations on this card will be rejected in this terminal.
• 6.6.1.7. Combating ATM Fraud

Cases of fraud with the use of ATMs have already been discussed in paragraph 1.5.2. Adhering to the numbering of types of fraud accepted there, the following can be stated. Microprocessor cards will not solve only problems 1, 2 and 4, since the presence of a plastic card and a PIN-code of its holder in the hands of a fraudster is a sufficient condition for successful execution of cash withdrawals from an ATM.

In all other cases, the use of a microprocessor card will avoid fraud. When using a microprocessor card online, knowledge of the PIN code and all card data available to the terminal is not sufficient for the fraudster to successfully complete the transaction. A prerequisite in this case is knowledge of the secret key of the card, which is not available to the fraudster, which is used to generate the cryptogram. The key is necessary for mutual authentication of the card and the issuer, without the successful completion of which the transaction will be rejected (the degenerate case when the issuer does not support the processing of the card's "chip" data is not considered).

• 6.6.2. Card fraud
• 6.6.2.1. Fake IPU key

One of the serious "holes" in the security model of operations performed using a microprocessor card is the practical possibility of fraudsters inserting a false public key of the system into the POS terminal. Having prepared the key certificates of the "imaginary" issuer under a false key, you can then issue fake cards that will work successfully in terminals with a false key loaded into them.

A natural way to combat this kind of fraud is to create a signature of the system keys entered into the terminal on the key of the servicing bank (possibly a symmetric key). This signature ensures the integrity of key system information on the terminal. In this case, without possessing the key of the servicing bank, it is impossible to successfully create / use a false public key of the system.

Unfortunately, in order to bypass the mentioned protection of the integrity of the public keys of the system, the fraudster may not follow the path of compromising the secret key of the servicing bank. To commit fraud, he only needs to download a fake executable module to the terminal, which, unlike the application of the servicing bank, will not check the signature of the key used. In this case, the protection described above stops working.

To make it impossible for a fraudster to replace the terminal application, the following methods are used:

• control of operations of deletion / loading of executable modules by means of the terminal operating system. It is advisable to use a cryptographic module that checks the MAC values of the commands for deleting / downloading files coming to the terminal. A special microprocessor card of the terminal can act as such a module;
• Whitelisting technology.

The essence of the Whitelisting technology is as follows. All executable modules (.exe), scripts (.bat, .vbs, .com, etc.), libraries / drivers (.dll) and java codes of the terminal application are inventoried and put into a special list called the White List. The list consisting of identifiers of allowed modules and their signatures is signed on the terminal key.

If a module is not included in the White List, it will not be executed in the system. The White List can be dynamically updated by the terminal administrator, providing the signature of the updated list.

At the same time, note that the problem of ensuring the integrity of the terminal application is not far-fetched. According to experts in the field of security of card transactions, as the security of cards increases, the attention of fraudsters will increasingly turn to their service environment. The terminal is in the vicinity of the map, and therefore will undoubtedly become a target for attacks. Since the terminal today is actually a personal computer, the same methods will be used for attacks as in the case of a PC. In particular, the use of special programs (analogous to spyware, Trojan horse, keyboard / screen logger, viruses) will allow a fraudster to obtain information about the card that interests him (for example, recording the second track of the card's magnetic stripe).

6.6.2.2. Terminal substitution

The problem of replacing a real POS terminal of a bank with a terminal installed by fraudsters is also relevant. The terminal costs only $ 400-600. Therefore, when a fraudster conspires with a cashier of a trading enterprise, such a substitution is very plausible (there are cases of installing even false ATMs!). There are also cases when a merchant uses a POS terminal only for the purpose of collecting information about cards.

In the case of using a false terminal, the latter can record not only the contents of the magnetic track of the card, but also the value of the PIN-code of the cardholder. Taking into account the widespread use of hybrid cards with a magnetic stripe, having received information about the magnetic stripe of the card and the meaning of its PIN-code, a fraudster can produce "white" cards for their use in ATMs.

To solve the problem of a false terminal when processing transactions online, it is necessary to widely implement MAC codes for messages circulating between the terminal and the host of the serving bank. This will ensure the integrity of information exchange and authentication of the POS terminal by the host of the serving bank.

The use of MAC codes can solve the problem only for online operations. Information about offline transactions performed on the terminal can also be signed for transmission to the serving bank. It would be good practice to use a terminal cryptogram, which is a signature on the terminal key of the main details of any transaction made in the terminal. For the formation of the terminal cryptogram, the ANSI X9.19, ISO 9797-1 standards or an analogue of the algorithm for calculating the cryptogram by the card application in the EMV standard can be used. The servicing bank could be required to check the value of the terminal cryptogram before sending the presentation to the network.

However, the false terminal may not transmit information about transactions to the bank (if the terminal is used to steal card data). Unfortunately, in the case when the terminal works offline, the most reliable methods of combating terminal substitution are organizational measures of physical control over the terminal installed at the point of sale.

A fairly effective way to combat terminal replacement would be to introduce into the EMV standard a procedure for mutual authentication of a card and a terminal, which is performed at the very beginning of transaction processing. To implement mutual authentication of the card and the terminal, you must:

• enter on the terminal the secret and open asymmetric keys of the terminal, the public key certificate of the servicing bank on the system key and the public key certificate of the terminal on the key of the servicing bank;
• ensure that the card supports the terminal authentication procedure and stores the hash functions of the system's public keys on the card.

Storing the hash functions of the system's public keys on the card is necessary in order to avoid a situation when the fraudster himself invents a false system key and generates a pair of keys of the servicing bank with a certificate calculated on the false system key to enter the terminal into the terminal.

Of course, storing the hash functions of the system keys (it is obvious that you will have to store information about the keys generated for the future, so that during the life cycle of the card, the system keys unknown to the card appear on the terminals) imposes restrictions on the size of the EEPROM memory. The terminal must store up to 6 system keys. Therefore, taking into account the keys stored in the future, and the size of the SHA-1 hash value equal to 20 bytes, it will be necessary to reserve about 200 bytes of EEPROM memory to store the hash functions of the public keys of one payment system.

Note that in the case of storing the public keys of the system instead of the values of their hash functions, it would take about 2.5 KB of EEPROM memory.

For the terminal authentication procedure, the problem of generating and distributing CRL-lists (Certificate Revocation List) containing lists of compromised terminal keys is extremely important. Checking the CRL list is required by the card in order to avoid a situation when it is successfully served on a fraudulent terminal using compromised keys of the payment system terminal. CRLs must be constantly updated. Changes to CRLs can be communicated to the map through Issuer Script Processing.

It is problematic to store CRL-lists on the map due to their significant size. Indeed, today there are about 20 million terminals in use in the world. This means that 4 bytes for the terminal identifier and one byte for the serial number of the terminal key certificate are required to identify the terminal certificate. Assuming that each of the 10,000 terminals during the card's lifecycle will have a key compromised for one reason or another (for example, due to the terminal being decommissioned), the size of the CRL-list will be 10 KB. And you will have to store the list of CRLs in the EEPROM!

In addition, card authentication lengthens the processing of the transaction. Indeed, verification of the key certificates of the servicing bank and the terminal, as well as the terminal signature, will take from 150 to 300 ms on a modern card. In addition, 500-600 ms will be required to transfer to the card the public key of the system (about 248 bytes in size), the key certificates of the servicing bank (about 128 bytes) and the terminal (about 128 bytes), as well as the signature of the terminal (about 128 bytes).

Thus, the processing time for a card transaction will increase by 650-900 ms. For a number of applications, such an increase in transaction processing time is critical.

Instead of mutual authentication of the card and the terminal to combat terminal spoofing, it is more realistic to use terminal authentication by its serving bank.

6.6.2.3. Fake cryptogram type

Let's dwell on one more type of fraud on the part of an unscrupulous trade enterprise. In a simplified form, the fraud looks like this.

When a microprocessor card holder contacts a merchant for a purchase, the merchant ends any terminal / card decision by rejecting the transaction. In this case, the card holder either leaves the trade enterprise with nothing, or pays for the goods in cash.

Further, the fraudulent merchant sends the unsuccessful transaction to the serving bank as a successful offline transaction. In this case, the servicing bank is presented with all evidence that the transaction was completed successfully: a forged Cryptogram Information Data value, indicating the completion of the operation by generating a TS cryptogram by the card, and a cryptogram value that is transparent to the servicing bank. The cryptogram type value is also contained in the CVR object passed to the issuer in the Issuer Application Data object. Since the terminal does not consider the contents of the Issuer Application Data object (although it could), since this object is intended for the card issuer, we assume that the CVR data object is transparent to the terminal.

The servicing bank, on the basis of the data received from the terminal, generates presentations, which it sends to the payment system, and reimburses the merchant for the operations "performed" in it.

The issuer who received the presentation must check that the value of the cryptogram type extracted by the issuer from the data field of the CID object (Cryptogram Information Data, Tag '9F27') matches the value of the corresponding bits of the cryptogram type of the CVR object extracted from the Issuer Application Data object (CID and IAD objects obtained by the issuer from the DE 55 authorization request / clearing message). These values must match. In this case, the comparison should be based on the values of the bits of the cryptogram type obtained from the CVR object, provided that the verification of the cryptogram was completed successfully (the correct value of the cryptogram means, among other things, the integrity of the data of the CVR object). If the cryptogram is correct, but there is no correspondence between the values of the cryptogram type in the CID and CVR objects, then the issuer should accuse the merchant of distorting the authorization result of the transaction. If the cryptogram on the data received by the issuer is not correct, and the values of the cryptogram type in the CID and CVR objects coincide, then a possible reason for the failure of the cryptogram verification is the distortion of the value of the cryptogram type by the merchant.

In both cases, the issuer has a reason to start an investigation into the result of the completion of the operation, which may result in the issuer's refusal to pay (sending the issuer a chargeback message).

It will take time for the bank / payment system to deal with a fraudulent business. During this time, the fraudulent enterprise will be able to hide, which is what the fraudsters are counting on.

A more effective way to combat the fraud described above is to use the CDA method for offline authentication of the card application and approve the requirement for the merchant, which would be that the company must provide the service bank with the Signed Dynamic Application Data element and the card's public key certificate, and not just a cryptogram. In this case, the service bank extracts the correct value for the Cryptogram Information Data object from the Signed Dynamic Application Data element, and the fraud scheme described earlier stops working.

Summarizing the above, we can conclude that with an increase in the number of microprocessor cards and the expansion of the infrastructure for their acceptance, the level of card fraud (not volume!) Will steadily decrease. The use of microprocessor technology has proven to be effective in the fight against card fraud. The markets of Great Britain, France, Luxembourg and Belgium, which have made an almost complete migration to chip card technology, are a prime example of this.

In terms of technology development, payment systems are pursuing a policy aimed at maximizing the security of card transactions. Depending on the current state of maturity of the card market, proactive decisions are made to reduce the level of card fraud. It is these decisions that include the latest steps aimed at expanding the use of reliable card authentication methods and using PIN Offline on cards and terminals, at optimizing the rules for switching to an alternative authorization via a magnetic stripe, etc.

At the same time, obviously, criminal structures will not put up with the loss of income from card fraud and will adapt to the new living conditions in the world of chip cards. Unfortunately for banks, fraudsters still have many opportunities.

The biggest flaw in smart card technology is the lack of synchronicity and speed at which banks can migrate to a chip. Even if the banks of a country completely migrate to the chip, but there will remain countries in which the migration process is slow, the banks that migrated to the chip will continue to incur financial losses. Therefore, European countries that have achieved significant results in migration to a chip cannot but be concerned about the situation with the state of affairs in some regions, and especially in the largest plastic card market - in the United States. Indeed, all efforts of the European bank that issued the microprocessor card are canceled by the possibility of performing an operation on a fraudulent card made on the basis of the magnetic stripe data of the microprocessor card in the "magnetic" terminal of the American bank.