Skip to main content
SpringerLink
Log in

Security Analysis of EMV Protocol and Approaches for Strengthening It

  • Conference paper
  • First Online:
Book cover Distributed Computing and Internet Technology (ICDCIT 2018)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 10722))

Abstract

Reliance on smart cards for our daily lives makes their security essential. Credit card fraud has been a major hassle for electronic commerce over the past few years. A worldwide standard for payment has been introduced by Europay, Mastercard, and Visa (EMV) with the objective of limiting the card payment frauds. The EMV standard has two main pillars, card authentication (chip) - counters skimming and counterfeiting frauds, and cardholder verification (PIN) - counters stolen or lost cards fraud. Today EMV (aka Chip-and-PIN) is the leading system for the card payments worldwide with more than 4.8 billion cards. Although EMV cards are widely adopted around the world, it is still amenable to attacks as our analysis reveals.

In this paper, we present an approach for analyzing the security of the EMV protocol using a novel information security model called the Readers-Writers Flow Model (RWFM) that explicitly captures the intentions of the protocol designer. An assessment of security of the EMV protocol by the approach automatically reveals several attacks on the EMV protocol presented in the literature, and provides implementation guidelines for realizing a secure EMV protocol w.r.t different threat models. It is experimentally illustrated that most of these attacks are overcome by using a RWFM wrapper in a prototype implementation following the guidelines. Efficacy of the approach is demonstrated by successfully preventing the software simulation of the “No-PIN” attack.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The EMV standard is designed by Europay, MasterCard, and Visa.

  2. 2.

    http://www.emvco.com.

  3. 3.

    https://sites.uclouvain.be/EMV-CAP/resources/Data/EMVCAP-1.4.tar.gz.

References

  1. Adida, B., Bond, M., Clulow, J., Lin, A., Murdoch, S., Anderson, R., Rivest, R.: Phish and chips. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2006. LNCS, vol. 5087, pp. 40–48. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04904-0_7

    Chapter  Google Scholar 

  2. Barisani, A., Bianco, D.: Practical EMV PIN interception and fraud detection. In: 31th Chaos Communication Congress [31c3] of the Chaos Computer Club [CCC] (2014)

    Google Scholar 

  3. Bhargavan, K., Fournet, C., Gordon, A.D., Tse, S.: Verified interoperable implementations of security protocols. In: 19th IEEE CSFW, pp. 139–152 (2006)

    Google Scholar 

  4. Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: 14th IEEE CSFW, pp. 82–96 (2001)

    Google Scholar 

  5. Bond, M., Choudary, O., Murdoch, S.J., Skorobogatov, S.P., Anderson, R.J.: Chip and skim: cloning EMV cards with the pre-play attack. CoRR abs/1209.2531 (2012)

    Google Scholar 

  6. Degabriele, J.P., Lehmann, A., Paterson, K.G., Smart, N.P., Strefler, M.: On the joint security of encryption and signature in EMV. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 116–135. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-27954-6_8

    Chapter  Google Scholar 

  7. Denning, D.E.: A lattice model of secure information flow. Commun. ACM 19(5), 236–243 (1976). http://doi.acm.org/10.1145/360051.360056

  8. Drimer, S., Murdoch, S.J.: Keep your enemies close: Distance bounding against smartcard relay attacks. In: Provos, N. (ed.) 16th USENIX Security Symposium. USENIX Association (2007)

    Google Scholar 

  9. EMVCo: Book 1: Application independent ICC to terminal interface requirements v4.3 (2011). http://www.emvco.com

  10. EMVCo: Book 2: Security and key management v4.3 (2011). http://www.emvco.com

  11. EMVCo: Book 3: Application specification v4.3 (2011). http://www.emvco.com

  12. EMVCo: Book 4: Cardholder, attendant, and acquirer interface requirements v4.3 (2011). http://www.emvco.com

  13. Ferradi, H., Géraud, R., Naccache, D., Tria, A.: When organized crime applies academic results: a forensic analysis of an in-card listening device. J. Crypt. Eng. 6(1), 49–59 (2016)

    Article  Google Scholar 

  14. Murdoch, S.J., Drimer, S., Anderson, R.J., Bond, M.: Chip and PIN is broken. In: 31st IEEE S&P, pp. 433–446. IEEE Computer Society (2010)

    Google Scholar 

  15. Narendra Kumar, N.V., Shyamasundar, R.K.: Realizing purpose-based privacy policies succinctly via information-flow labels. In: 4th IEEE BDCloud, pp. 753–760. IEEE (2014)

    Google Scholar 

  16. Narendra Kumar, N.V., Shyamasundar, R.K.: POSTER: dynamic labelling for analyzing security protocols. In: 22nd ACM CCS, pp. 1665–1667 (2015)

    Google Scholar 

  17. Narendra Kumar, N.V., Shyamasundar, R.K.: Analyzing protocol security through information-flow control. In: Krishnan, P., Radha Krishna, P., Parida, L. (eds.) ICDCIT 2017. LNCS, vol. 10109, pp. 159–171. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-50472-8_13

    Chapter  Google Scholar 

  18. Rodríguez, R.J.: Evolution and characterization of point-of-sale RAM scraping malware. J. Comput. Virol. Hacking Tech. 13(3), 179–192 (2017). https://doi.org/10.1007/s11416-016-0280-4

    Article  Google Scholar 

  19. Roscoe, A.W.: Intensional specifications of security protocols. In: 9th IEEE CSF, pp. 28–38 (1996)

    Google Scholar 

  20. de Ruiter, J.: Lessons learned in the analysis of the EMV and TLS security protocols. Ph.D. thesis, Radboud University Nijmegen, August 2015

    Google Scholar 

  21. de Ruiter, J., Poll, E.: Formal analysis of the EMV protocol suite. In: Mödersheim, S., Palamidessi, C. (eds.) TOSCA 2011. LNCS, vol. 6993, pp. 113–129. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-27375-9_7

    Chapter  Google Scholar 

  22. Woo, T.Y.C., Lam, S.S.: A lesson on authentication protocol design. SIGOPS Oper. Syst. Rev. 28(3), 24–37 (1994)

    Article  Google Scholar 

Download references

Acknowledgement

The work was done as part of Information Security Research and Development Centre (ISRDC) at IIT Bombay, funded by MEITY, Government of India.

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Indian Institute of Technology Bombay, Mumbai, India

    Khedkar Shrikrishna & R. K. Shyamasundar

  2. Centre for Payment Systems, IDRBT, Hyderabad, India

    N. V. Narendra Kumar

Authors
  1. Khedkar Shrikrishna
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. N. V. Narendra Kumar
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. R. K. Shyamasundar
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to N. V. Narendra Kumar .

Editor information

Editors and Affiliations

  1. University of Hyderabad, Hyderabad, India

    Atul Negi

  2. University of Cincinnati, Cincinnati, Ohio, USA

    Raj Bhatnagar

  3. IBM Thomas J. Watson Research Center, Yorktown Heights, New York, USA

    Laxmi Parida

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Shrikrishna, K., Narendra Kumar, N.V., Shyamasundar, R.K. (2018). Security Analysis of EMV Protocol and Approaches for Strengthening It. In: Negi, A., Bhatnagar, R., Parida, L. (eds) Distributed Computing and Internet Technology. ICDCIT 2018. Lecture Notes in Computer Science(), vol 10722. Springer, Cham. https://doi.org/10.1007/978-3-319-72344-0_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-72344-0_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-72343-3

  • Online ISBN: 978-3-319-72344-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation