This article is part 4 of 7 in the series: An Evaluation of Strong Customer Authentication (SCA) Methods for the Revised Payment Services Directive (PSD2).
The following criteria are used for comparison:
- Equipment and infrastructure: Costs and benefits
- Ease of deployment: Portability, proprietary limitations, and distribution considerations
- Ease of loss replacement: Steps needed for a user to begin anew
- Vulnerabilities: Process, hardware, or software weaknesses
- Convenience/speed: The time it takes and ease of the user experience; reports range from as low as 7s to 15s of a user’s experience to determine whether or not they remain in the purchase, so every second counts
Europay, MasterCard, and Visa (EMV) Readers
SCENARIO: You’ve applied for and been sent a credit card, and it has a little bronze, rounded rectangle chip visible, flush with the front and back of the card. EMVCo, which originally consisted of Europay, MasterCard, and Visa (EMV), but is now a conglomerate of several industry players, combines smart card authentication into the purchase experience. While anyone can, in theory, obtain their own card reader to perform at-home purchases with qualifying cards, these readers are generally used by brick-and-mortar shops to authenticate purchases. Shopping at a store and deciding to make a purchase, you flash the chip end of your card over the reader, and NFC technology passes the appropriate information, verifying it in seconds via the reader, which is nominally provided by the credit processing entity.
ANALYSIS: Card-not-present transactions don’t really happen via EMV; the strength of the format is its hardware basis. Software versions of EMV remove the very thing that makes it secure: the chip-reader symbiosis. As soon as you are storing your credit card number and the payment processor’s routing info on a drive, you are open to hackers making purchases you did not authorize. It may be worth noting that the last scholarly review of this protocol was conducted in 2009.
Deployment requires a server bank to process many incoming purchases. As these are smart cards, infrastructure up to and including public key infrastructure (PKI) architecture is required as a backbone for the entire operation. Chips must be built into cards, distributed 1:1 for each user, and tracked, along with expirations and other sensitive user personally identifying information (PII). Readers must be prepared, distributed 1:1 for each vendor, and likewise tracked, along with expirations and other sensitive vendor and user PII.
The real rub in this protocol comes from two vulnerabilities: PIN harvesting and stripe cloning. In PIN harvesting, a hacker will gather a pile of PIN data; in stripe cloning, a bad actor can insert a false reader into the stripe reader space—or replace the machine entirely. Both require either direct physical contact with, or being present somewhere very near to the reader. Making the reader believe a card is chipless authorizes what’s called a “fallback transaction,” which passes with fewer checks along the way, and often results in the vendor absorbing the cost after the perp is long gone and the purchase comes back as fraudulent. In scenarios where a phone is being used to authorize EMV payment, fiendish MITM openings have been discovered. NFC contactless methods open the transaction to interception by third parties, but said interloper must be within signal range.
Once exposed, by the intimate nature of the devices it can be assumed that the reader and the card have both been exposed; now the reader and any cards involved while it was compromised must be canceled and replaced. Convenience reinstating those involved in a compromise is among the lowest between all the MFA options discussed in this article.
Authenticating via EMV Reader involves inserting your card and waiting for the transaction to be authorized or, in more updated models, waving your chip (or phone) near the reader to let the NFC pass the relevant information. The updated convenience of NFC in this case also happens to be one of the mitigating security factors.
- Equipment and infrastructure: $$$$: server farm; credit card/chip readers; chipped credit cards; proprietary
- Ease of deployment: Extreme: reader at every payment point; card in every hand
- Ease of loss/replacement: Extreme; card and reader AND ALL CARDS POSSIBLY AFFECTED must be replaced/re-issued
- Vulnerabilities: PIN harvesting; fallback transactions; MITM; (NFC)
- Convenience/speed: Seconds, possibly much longer; ~1s+ with NFC but with added vulnerabilities
Next up: Smartphone + Biometrics for PSD2 SCA.
StrongKey FIDO Server (SKFS) is the world’s only open source FIDO® Certified FIDO2 Server. StrongKey never charges per-license or per-user fees, allowing you to keep your costs low even as your business grows. We offer CryptoCloud hosting, PKI solutions including conversion from existing PKI to a FIDO ecosystem via PKI2FIDO, and enterprise-wide FIDO2 strong authentication for businesses on six continents.