Chip Authentication Program: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 15:30, 18 May 2010 edit 213.122.155.209 (talk) →United Kingdom ← Previous edit		Latest revision as of 10:49, 31 May 2025 edit undo Cl3phact0 (talk \| contribs) Extended confirmed users, New page reviewers 27,768 edits →United Kingdom: +photo
(111 intermediate revisions by 74 users not shown)
Line 1: {{Short description\|Aspect of banking security}} [[image:Barclays pinsentry.jpg\|thumb\|right\|250px\|A ~~Barclays~~Gemalto ~~PINsentry~~EZIO CAP ~~Device~~device with Barclays PINsentry styling]] The '''Chip Authentication Program''' '''(CAP)''' is a [[MasterCard]] initiative and technical specification for using [[EMV]] banking [[smartcards]] for [[authentication\|authenticating]] users and transactions in online and telephone banking. It was also adopted by [[Visa (company)\|Visa]] as '''Dynamic Passcode Authentication''' (DPA).<ref>[http://www.visaeurope.com/aboutvisa/products/dynamicpasscode.jsp Dynamic passcode authentication] {{webarchive\|url=https://web.archive.org/web/20081119231409/http://www.visaeurope.com/aboutvisa/products/dynamicpasscode.jsp \|date=2008-11-19 }}, VISA Europe</ref>. The CAP specification defines a handheld device ("''CAP reader"'') with a smartcard slot, a ~~decimal~~numeric keypad, and a display capable of displaying at least 12 characters (e.g., a [[starburst display]]). Banking customers who have been issued a CAP reader by their bank can insert their [[Chip and PIN]] ([[EMV]]) card into the CAP reader in order to participate in one of several supported [[authentication protocol]]s. CAP is a form of [[two-factor authentication]] as both a smartcard and a valid PIN must be present for a transaction to succeed. Banks hope that the system will reduce the risk of unsuspecting customers entering their details into fraudulent websites after reading ‘so-called [[phishing]]’ emails.<ref>~~http~~{{Cite web\|last=Leyden\|first=John\|title=Barclays deploys PINsentry to fight fraud\|url=https://www.theregister.~~co.uk~~com/2007/04/18/pinsentry/\|access-date=2021-04-30\|website=www.theregister.com\|language=en}}</ref> ==Operating principle== The CAP specification supports several authentication methods. The user first inserts their smartcard into the CAP reader and enables it by entering the PIN. A button is then pressed to select the transaction type. Most readers have 2two or 3three transaction types available to the user under a variety of names. Some known implementations are: ''';Code/~~Identify~~identify:~~'''~~ Without requiring any further input, the CAP reader interacts with the smartcard to produce a decimal [[one-time password]], which can be used, for example, to log ~~in to~~into a banking website. ''';Response:~~'''~~ This mode implements [[~~challenge-response~~challenge–response authentication]], where the bank's website asks the customer to enter a "challenge" number into the CAP reader, and then copy the "response" number displayed by the CAP reader into the web site. ''';Sign:~~'''~~ This mode is an extension of the previous, where not only a random "challenge" value, but also crucial transaction details such as the transferred value, the currency, and recipient's account number have to be typed into the CAP reader. The above noted transaction types are implemented using one of two modes. One of these modes has two forms in which it can operate, creating three distinct modes, though they are not named this way in the specification. ''';Mode1:~~'''~~ This is the mode for normal monetary transactions such as an online purchase through a merchant. ~~The~~A transaction value and currency ~~may be~~are included in the computation of the cryptogram. If the card does not require it or the terminal does not support it, then both amount and currency are set to zero ~~during the computation~~. ''';Mode2:~~'''~~ This mode may be useful for authenticating a user in which no transaction is taking place, such as logging into an Internet banking system. ~~The~~No ~~computation~~transaction ~~differs~~value, ascurrency, ~~there~~or ~~is no transaction~~other data are included, making these responses very easy to precompute or reuse.{{paragraph break}}{{glossary}}{{term\|With transaction data signing (TDS)}}{{defn\|This mode may be used for more complicated transactions, such as a funds transfer between accounts. Multiple data fields pertaining to the transaction are concatenated and then hashed with a Mode2 cryptogram as the key for the hashing algorithm. The resultant hash is used in place of the cryptogram calculated in a non-TDS Mode2 operation.<ref>[http://www.unixgarden.com/index.php/misc/banques-en-ligne-a-la-decouverte-demv-cap Banques en ligne : à la découverte d’EMV-CAP] {{webarchive\|url=https://web.archive.org/web/20121127172622/http://www.unixgarden.com/index.php/misc/banques-en-ligne-a-la-decouverte-demv-cap \|date=2012-11-27 }}, UnixGarden</ref>}}{{glossary end}} '''Mode2 with TDS:''' This mode may be used for more complicated transactions, such as a funds transfer between accounts. Multiple data fields pertaining to the transaction are concatenated and then hashed using the value that would result from a Mode2 operation as the key for the hashing algorithm. The resultant hash is used in place of the cryptogram calculated in a non-TDS Mode2 operation. Mode1 sounds very much like a specific use of Mode2 with TDS ~~(Transaction Data Signing)~~, but there is a critical difference. In Mode1 operation, the transaction data (amount and currency type) are used in the cryptogram calculation in addition to all the values used in Mode2 without TDS, whereas Mode2 includes its transaction data in a successive step rather than including it in the cryptogram calculation step. If it were not for this difference, then all operations could be generalized as a single operation with varying optional transaction data. ==Protocol details== [[Image:~~Nordea_e~~Nordea e-kod.jpg\|right\|thumb\|A Nordea E-code reader]] In all three modes, the CAP reader asks the EMV card to output a data packet that confirms the cancellation of a fictitious EMV payment transaction, which involves the details entered by the user. This confirmation message contains a [[message authentication code]] (typically [[CBC-MAC]]/[[~~TDES~~Triple DES]]) that is generated with the help of a card-specific secret key stored securely in the smartcard. Such cancellation messages pose no security risk to the regular EMV payment application, but can be cryptographically verified and are generated by an EMV card only after the correct PIN has been entered. It provided the CAP designers a way to create strong cryptographic evidence that a PIN-activated EMV card is present and has seen some given input data, without having to add any new software functions to ~~already fielded~~ EMV cards already in use. An EMV smartcard contains a (typically 16-bit) transaction counter that is ~~increased by one~~incremented with each payment or CAP transaction. The response displayed by a CAP reader essentially consists of athe ~~concatenation~~various parts of the card's response (~~typically~~Application 7Transaction Counter, MAC, etc.) ~~least-significant~~which is then reduced to specific bits ofas determined by the ~~transaction~~Issuer ~~counter~~Authentication Indicator (IAI) record stored in the card (this is set on a per-issuer basis, ~~followed~~although byshould an issuer desire, it could be set randomly for each card providing a database of each card's IAI is kept), finally, after ~~selected~~unwanted bits ~~from~~are ~~the~~discarded ~~message~~(essentially ~~authentication~~the ~~code~~absolute position of bits is irrelevant, a bit in the ~~transaction~~IAI ~~abort~~that ~~message~~is ~~sent~~0 bymeans the corresponding bit in the card, response will be dropped rather than merely being set to 0). Finally the value is converted from a binary into a decimal number and displayed to the user. A truncated example is provided below: # CAP device selects EMV application, reads IAI info from card and the user selects an action to perform (in this example, IAI will be 111011011000<sub>[[binary number\|2]]</sub>). In the identify mode, the response depends only on the transaction counter value. In the response mode, it depends in addition on the entered challenge, and in signing mode it also depends on the entered transaction details. # After successful PIN entry, CAP device sends challenge of 011100111010<sub>2</sub> as an Authorization Request Cryptogram (ARQC) transaction. # Smartcard gives a response of 110101110110<sub>2</sub> and CAP device cancels the fake transaction. # CAP device uses the IAI mask: 111011011000<sub>2</sub> to drop bits; those bits that correspond to a 0 in the mask are dropped. # Hence the final response is 1100110<sub>2</sub> or 102 in decimal. The real world process is of course somewhat more complex as the card can return the ARQC in one of two formats (either the simple Response Message Template Format type 1 (id. 80{{sub\|16}}) or the more complex Response Message Template Format 2 (id. 77{{sub\|16}}) which splits the ARQC data into separate TLV values that need to be reassembled sequentially to match that of the type 1 format. The same on-card PIN retry counter is used as in EMV transactions. So just like at an ATM or POS terminal, entering an incorrect PIN three times in a row into a CAP reader will block the card.▼ In the identify mode, the response depends only on the required bits from the IAI as the amount and reference number are set to zero; this also means that selecting respond and entering a number of 00000000 will in fact generate a valid identify response. More concerningly however, if a respond request is issued by a bank, using the sign mode with the same number and an amount of ¤0.00 will again generate a valid result which creates a possibility for a fraudster to instruct a customer to do a "test" challenge response for an amount of ¤0.00 which is in fact going to be used by the fraudster to verify a respond command in order for them to add themselves as a payee on the victim's account; these attacks were possible to carry out against banks that used strong authentication devices that were not canceling activities until an amount of at least 0.01 was entered.<ref name="cambridge"/> The likelihood of these kinds of attacks was addressed in 2009 when new generations of devices were rolled out, implementing secure ___domain separation functionality that is compliant with the MasterCard Application note dated October 2010.{{clarify\|reason=how does this fix the issue?\|date=August 2012}} Similarly of course; a bank that implements the identify command makes it possible for a fraudster to request a victim to do a "test" respond transaction using 00000000 as the reference, and will then be able to successfully login to the victim's account.<ref name="cambridge"/> ▲The same on-card PIN retry counter is used as in other EMV transactions. So just like at an ATM or POS terminal, entering an incorrect PIN three times in a row into a CAP reader will block the card. ==Incompatibility== The original CAP specification was designed to use normal EMV transactions, such that the CAP application could be deployed without updating the firmware of existing EMV cards if necessary. The preferred implementation uses a separate application for CAP transactions. The two applications may share certain data, such as PIN, while other data is not shared in instances where it is only applicable to one application (i.e., terminal risk management data for EMV) or advantages to have separate (i.e., transaction counter, so that EMV and CAP transactions increment separate counters which can be verified more accurately). The reader also carries implementation specific data, some of which may be overridden by values in the card. Therefore, CAP readers are generally not compatible with cards from differing issuing banks. However, most UK banks that issue card readers conform to a CAP subset defined by [[APACS]], meaning that, in most cases, cards issued by a UK bank can be used in a card reader issued by a different bank.{{cn\|date=March 2024}} ==Vulnerabilities== ~~Cambridge~~ [[University of Cambridge]] researchers Saar Drimer, [[Steven Murdoch]], and [[Ross J. Anderson\|Ross Anderson]] conducted research <ref name="cambridge">~~[http~~{{cite conference \|url=https://~~www~~murdoch.~~cl.cam.ac.uk/~sjm217~~is/papers/fc09optimised.pdf \|title=Optimised to ~~fail~~Fail: Card ~~readers~~Readers for ~~online~~Online ~~banking]~~Banking \|last1=Drimer \|first1=Saar \|last2=Murdoch \|first2=Steven J. \|last3=Anderson \|first3=Ross \|author-link2=Steven Murdoch \|authorlink3=Ross J. Anderson \|year=2009 \|publisher=Springer \|series=LNCS \|volume=5628 \|pages=184–200 \|conference=Financial Cryptography and Data Security \|doi=10.1007/978-3-642-03549-4_11}}</ref> into the implementation of CAP, outlining a number of vulnerabilities in the protocol and the UK variant of both readers and cards. Numerous weaknesses were found. [[Radboud University]] researchers found a vulnerability in the Dutch [[ABN AMRO]] e.dentifier2, allowing an attacker to command a [[USB]] connected reader to sign malicious transactions without user approval.<ref name="radboud">[https://www.cs.ru.nl/~rverdult/Designed_to_Fail_A_USB-Connected_Reader_for_Online_Banking-NORDSEC_2012.pdf Designed to Fail: A USB-Connected Reader for Online Banking]</ref> ==Users== ===Belgium=== [[Image:lecteur-de-carte-belfius.png\|right\|thumb\|A [[Belfius]] card reader]] Most majors banks of Belgium (including [[Belfius]], [[BNP Paribas Fortis]], [[ING Group\|ING]], [[KBC Bank]]) provide such a card reader. It is used for two main purposes: * Authenticating to the bank eBanking website. In order to access private information like balance checking. * Signing a transaction. For example in eCommerce (3DS) to buy goods or service on an online merchant, or to perform a [[bank transfer]]. The merchant would ask for the bank card information, then redirect the user to the bank website where a webpage is displayed with instructions to follow to verify the transaction. Then the bank redirects the user to the merchant page with a success or a failure. The device is equipped with an optional USB port, those two operations can be used without connecting the cable on a computer. It was the most used method to pay online, offering a verification method similar to PIN in POS. Since the wide acceptation of smartphones, the banks offer an alternative using a local application on the phone, using a QR-Code to scan, or using the popular {{Interlanguage link\|Itsme\|fr\|Itsme}} app. The device is also compatible with the [[Belgian identity card\|Belgian eID card]] to access government services like tax declaration, medical insurance information, unemployement, etc. Those services are also generally available using Itsme. ===Sweden=== * [[Nordea]] ~~began~~ using CAP in November 2007.<ref>[http://www.nordea.se/sitemod/upload/Root/www_nordea_se/Privat/internet_telefon/internet/demo_e-kod/index.html New security solution \| nordea.se], in Swedish.</ref> The Nordea {{proper name\|eCode}} solution is used by Nordea both for eBanking, eCommerce (3DS) and also with eID. The reader which has some more advanced ~~function~~functionality that extends CAP, makes Nordea's CAP implementations more secure against trojans and [[man-in-the-middle ~~attacks~~attack]]s. When used for eID, the user is able to file his "tax declaration" online, or any ofimplemented ~~provided eGoverment~~e-government functions. The device is also equipped with a USB-port, that ~~enable~~enables the bank to perform Sign-What-You-See for approval of sensitive transactions. ===United Kingdom=== [[Image:nationwide-CAP-reader.jpg\|right\|thumb\|A Nationwide CAP Device with a 20p coin to scale]] [[Image:Natwest--CAP-reader.jpg\|right\|thumb\|A Natwest CAP Device with a 10p coin to scale]] [[APACS]] defined a CAP subset for use by UK banks.▼ [[File:Barclays Pinsentry 5920.jpg\|right\|thumb\|Barclays Pinsentry 5920]] [[Barclays Bank]] began issuing CAP readers (which they call "PINsentry") in 2007 to customers who make an online payment to a new recipient.<ref>{{cite web\|url=http://www.barclays.co.uk/pinsentry/ \| title=Barclays PINsentry}}</ref><ref>[http://www.theregister.co.uk/2006/08/09/barclays_launches_cardreaders/ Barclays to launch two-factor authentication], The Register, 2006-08-09.</ref> Their online-banking website uses the "identify" mode for login verification and the "sign" mode for transaction verification. The "respond" mode is not currently used. The PINsentry device is powered by four [[LR44]] [[button cell]] batteries, which the manual claims will last from five to seven years. A version for vision-impaired users (with voice output) is available on request. The device is also now used in branches in order to replace traditional chip and pin devices in order to further prevent attempted fraud.▼ ▲The [[~~APACS~~UK Payments Administration]] defined a CAP subset for use by UK banks. It is currently used by: [[Nationwide]] [[~~Ulster~~Barclays Bank]] [[~~Co-operative~~Ulster Bank~~]] and [[Smile Bank\|Smile~~]] ~~[[Royal Bank of Scotland]] (including~~ [[NatWest]]) [[The ~~CAP readers of Barclays, Nationwide,~~Co-operative Bank\|Co-operative Bank~~/Smile~~]] and ~~RBS~~[[Smile ~~are all intercompatible.~~Bank\|Smile]] [[Royal Bank of Scotland]] Bank cards issued by HBOS are technically compatible with the system, though HBOS has not (yet) introduced CAP readers for use with their online banking.<ref name="cambridge"></ref>▼ [[Lloyds Bank]] [[Nationwide Building Society\|Nationwide]] The CAP readers of Barclays, Lloyds Bank, Nationwide, NatWest, Co-operative Bank/Smile and RBS are all compatible. ▲[[Barclays ~~Bank~~]] began issuing CAP readers (~~which~~called ~~they call "~~''PINsentry"'') in 2007 ~~to customers who make an online payment to a new recipient~~.<ref>{{cite web\|url=http://www.barclays.co.uk/pinsentry/ \| title=Barclays PINsentry\|archiveurl=https://web.archive.org/web/20070616213459/http://www.barclays.co.uk/pinsentry/\|archivedate=16 June 2007\|url-status=dead}}</ref><ref>[~~http~~https://www.theregister.co.uk/2006/08/09/barclays_launches_cardreaders/ Barclays to launch two-factor authentication], The Register, 2006-08-09.</ref> Their online-banking website uses the "''identify"'' mode for login verification and the "''sign"'' mode for transaction verification. The "''respond"'' mode is ~~not currently~~ used. ~~The~~as ~~PINsentry~~part ~~device is powered by four [[LR44]] [[button cell]] batteries, which~~of the ~~manual~~new ~~claims~~PingIt ~~will~~Mobile ~~last~~Payment ~~from five to seven years. A version~~application for ~~vision-impaired~~authenticating ~~users~~the ~~(with~~account ~~voice output) is available on request~~details. The device is also now used in branches, ~~in order to replace~~replacing traditional chip and pin devices in order to further prevent attempted fraud. ▲Bank cards issued by [[HBOS]] are technically compatible with the system, though HBOS has not (yet) introduced CAP readers for use with their online banking.<ref name="cambridge">< /~~ref~~> ==Software implementations== There exists<ref>{{Cite web\|title=Application\|url=https://sites.uclouvain.be/EMV-CAP/Application/\|access-date=2021-04-30\|website=sites.uclouvain.be}}</ref> a software implementation written in Python supporting Mode 1, Mode 2 and Mode 2 with TDS to be used for educational purposes only. The identify function (without challenge) corresponds to the m1 function with the challenge "00000000". Note that using this software for real financial operations can lead to some risks. Indeed, the advantage of using a standalone reader is to isolate the banking card from malware potentially located on the PC. Using it in a non-secured reader is taking the risk that a keylogger intercepts the PIN, and [[Point-of-sale_malware\|point of sale malware]] gains access to the card details, or even intercepts a transaction to modify it or operates its own transaction. ==See also== * [[3-D Secure]] ==References== Line 52 ⟶ 91: <references/> [[Category:Payment ~~systems~~cards]] [[Category:Smart cards]]