Cyber security consultancy MWR InfoSecurity today confirmed its research team has taken the first step towards creating a fully automated EMV fuzzing solution for POS and ATM transactions.
As vulnerabilities can be introduced into the terminal-smartcard authentication procedure [during development], there is a need for structured and formal security evaluation to eliminate unexploited threats that exist in current devices used world-wide.
The Europay, MasterCard and Visa (EMV) standard – more commonly known as ‘Chip and Pin’, is used primarily by banks across the globe as the industry de-facto standard for authenticating smartcard transactions.
MWR Labs PinPadPwn research in 2012 demonstrated that many EMV payment terminals can easily be compromised with malicious payment cards, casting serious doubts on the security integrity of modern EMV-enabled devices.
At that time, the process of identifying these vulnerabilities was cumbersome, time-consuming and extremely difficult to repeat for developers, security testers and customers of card payment equipment.
Building on this previous research, MWR Labs’ latest EMV protocol fuzzer combines both hardware and software to evaluate the security integrity of a device under test (DUT):
Hardware has been designed that includes a robotic arm, that automates insertion and retraction of the emulated smart card by means of a linear actuator, that interfaces with a computer via USB and provides abstraction to the EMV communication stream.
- A Python interface has been developed to facilitate control of the EMV fuzzer, in effect allowing on-the-fly monitoring and emulation of an EMV stream with the DUT
- Various predefined security tests formalise the security evaluation procedure
The proposed design is ready to be interfaced with a fuzzing algorithm to create a fully automated EMV fuzzing solution.
As EMV is based on the ISO 7816 standard, which secures inter-operation between smartcards and associated terminals, this fuzzing research can also be applied to other implementations where smartcards are used – such as subscriber identity modules (SIMs) and DTV decoders.
A video demonstration of the EMV fuzzer in action can be viewed here: https://youtu.be/or7_MrV4cm4
Behind the Scenes
Established in 2003, MWR InfoSecurity is a research-led information security consultancy, with a client list consisting of Dow Jones, NASDAQ, FTSE 100 companies and Government agencies & departments. MWR consults with clients around the world, providing specialist advice and services on all areas of security, from mobile through to supercomputers.
Central to its philosophy is the desire to deliver high quality cyber security consulting services and unsurpassed levels of support to clients. MWR’s focus is working with clients to develop and deliver a full security programme, tailored to meet the needs of each individual organisation.
- Going Digital against #GBV | MIP partners with TEARS Foundation | Richard Firth | Mara Glennie | #Digital | #ebizradio - October 19, 2021
- Firstwatch announces 2021 initiative to support entrepreneurs | #Entrepreneurs | #PayItForward | #ebizradio - October 19, 2021
- See me, Understand me, Learn with me | #Insight | #Education | The Montessori model enters your home | Madeline Hoban | InHome Montessori - October 19, 2021
- Is your business ready for the new frontier of hybrid working | Business Brunch with Björn | #Entrepreneur | #Technology | Craig Johnson | NSN.CO.ZA - October 19, 2021
- Abundance is not what’s in your wallet | #Insight | #LunchtimeSeries | Kevin Britz | Naomi Basson | #Podcast | #ebizradio - October 18, 2021
- How important is Employer Branding to you and your business? | #Insight | #HR | Pabi Mogosetsi | UNIVERSUM | #Podcast | #ebizradio - October 18, 2021
- Motoring News | Diesel and Dust | Tumelo Maketekete | #Motoring | #ebizradio | #Podcast - October 15, 2021
- How is AI going to affect both Business and the Advertising landscapes? | #Marketing | #LunchtimeSeries | Kevin Britz | Craig Page-Lee | #ebizradio | #Podcast - October 15, 2021
- How do youth actually consume content? | #Entrepreneur | #WordOfMouth | Lindi Tshabangu | Khathutshelo Bapela | #Podcast | #ebizradio - October 14, 2021
- Since SA has have moved to level 1 lock-down, what effect is this having on the markets? | #Insights | #Trading | Zihad Israel | CMTrading | #ebizradio - October 14, 2021