Monday, November 30, 2009

Breaking The SmartCard Payment Security System

In the recent years, there has been a huge amount of development within e-commerce industry. One of the remarks to secure POS(point of sale) and other electronic payments is to use SmartCard Payment System (Chip & PIN technology). Its simple procedure allow customers to insert contact-smartcard at any POS and enter the PIN code into PED (Pin Entry Device) before authorizing the transaction.

SmartCard Protocol

1. Card To PED
Cardholder details captured (cardholder name, account, expiry, CVC, etc) and other magnetic strip information.

2. PED Display
Transaction description (currency type, value) and PIN entered by customer.

3. Final Authorization
PIN verification results and authorization code.

For this protocol standard to work securely, it is required to develop PED being tamper proofed. This foundation has been forced and practiced widely by VISA, EMV, PCI and APACS (UK). The evaluation of PED is then performed by well-established standards such as "Common Criteria".

Protection Measures and Possible Tampering

Tampered Switches within PED

Dione Xtreme

Ingenico i3300

Tamper Resistance

As of the current protection mechanisms deployed under PED help banks to secure their keys but not the actual customer details. Cardholder details including PIN code are sent unencrypted between card and PED. Thus, if a fraudster intercept these details a fake or clone of the card can be used to withdraw cash on ATMs worldwide depending on the capability of card type and issuer. Following are the key points highlighting weaknesses from the past done by various researchers.

-Loop holes in the tamper mesh allows commnication to be intercepted. Such that an easily accessible compartment can hide a recording device.

-Dione PED is vulnerable to route the card details outside resistance controller. A customized FPGA design can be used to capture the data.
-The relay attack scenario.

Root Causes For SmartCard Security Failure

-Engineering Challanges: 3,662 pages of Visa Chip & PIN specifications.
-Economic Incentives: Standard PED security works well to protect bank keys but customer's PIN left vulnerable.
-Certification Failure: PED passed its necessary certification requirements despite of the technical/design flaws mentioned above.

Security Measures

-PED design can be improved but the smartcard communication with PED is inherently difficult to protect.
-Encrypted PIN verification is mandatory and the copy of magnetic strip data should never be stored on the chip.
-Banks can improve the security but are not responsible for any fraud, putting liability on banks correct the incentives.
-Protocol designers making unrealistic assumptions of tamper resistance can put the bank customers at risk of fraud.

Friday, November 13, 2009

Practical Toolkit for Reverse Engineering

Many people has been involved in Reversing Engineering area for years. It is still considered attractive for many hackers and crackers to breakthrough and discover unknown possibilities exist to reverse the system objectives. Today in our article we will represent some of the core practical explanations on reverse engineering tactics.

Reverse Engineering is basically described as a way to generate high-level architectural view of piece of software from the given source. Several applications involved within RE scope are vulnerability analysis, malware analysis and breaking copy-protection schemes. One can start learning the basics of RE either through 'crack-me' approach or the real-life approach (take the real-world problem, break it and attack it).

Tools of The Trade

1. Debuggers
WinDbg - Rich features, Extensive C++ support, Poor interface.
Visual Studio Debugger - Not suitable for reversing, Good interface for development.
OllyDbg - Excellent interface, easy to use, wide range of plugins.
Immunity Debugger - Extends OllyDbg features, supports Python interpreter, command-line support with windbg commands, wide range of plugins.
GDb - Standard debugger for *NIX systems, not a complete RE debugger.

2. Disassemblers
Objdump - The standard tool for disassembley in Linux.
IDA Pro - Supports various binaries and architectures, Enhance Visualization, Advanced features.

3. System Monitoring Tools
Sysinternals Suite - Process Exlorer, RegMon, FileMon, TCPView

4. Binary Differential Tool

5. Decompilers

6. Reverse Engineering Frameworks

7. Dedicated Exploitation/Reverse Engineering Environment
DVL (Damn Vulnerable Linux)

Cutting Edge Steps on Advanced Reverse Engineering

-Automation is one of the major tasks in advancing the RE process.
-Most of the tools are scriptable, extensible and programmable.
-Defeating a new anti-debugging solutions
-Develop new RE environment, such as, Virtualization and Sandboxing.
-Joining one on another tool can make a powerful toolset for RE.