The issuer then validates CVMR against IAD to ensure both the card and terminal have the same perspective on how the transaction is happened.Ī year after the vulnerability is disclosed publicly, a criminal ring was caught performing this attack which the Cambridge researchers believe that the French criminals worked out the attack independently.
Attack wedge verification#
Now the terminal can also send CVMR (Cardholder Verification Method Results, specifies which cardholder verification method the terminal believes was used) optionally with the transaction approval request but unlike IAD (Issuer Application Data), it it is not integrity protected.
It is added in the book in November 2011, a year after the vulnerability is disclosed. Unless the CVMR is included in the CDOL it may not be integrity protected, so a second man-in-the-middle between terminal and acquirer (perhaps installed with co-operation of a corrupt merchant staff member) could tamper with it too.ĮMV Book 4, 12.1.1 - Authorization Request - Table 9 contains the new data elements specifically created for an ICC transaction. The card can change its CDOL to request that the CVMR be included in the payload to the Generate AC command.
One possible work-around is for the terminal to parse the IAD, which does include the result of PIN verification. Their proposed solution as mentioned in the paper fixes CDA and only Barclays Bank UK PLC is known to fix No PIN attack (52:20). The wedge was used even in this attack but the method of exploitation was different than that of DDA as explained in their research paper, Chip and PIN is broken.
The researchers behind the vulnerability proposed a solution to fix DDA cards in his write-up: Defending against wedge attacks in Chip & PIN but there's no track record of which banks globally enforced this solution or even cared to address it.ĬDA partially resolved the problem with DDA but it was itself open up to a vulnerability called No PIN attack. Wedge attack was applicable on DDA cards (Dynamic Data Authentication) which were being superseded by CDA cards (Combined Data Authentication) at the time when vulnerability was disclosed.
0 kommentar(er)
