The EMV Standard: Break, Fix, Verify

  title={The EMV Standard: Break, Fix, Verify},
  author={David A. Basin and Ralf Sasse and Jorge Toro-Pozo},
  journal={2021 IEEE Symposium on Security and Privacy (SP)},
EMV is the international protocol standard for smartcard payment and is used in over 9 billion cards worldwide. Despite the standard’s advertised security, various issues have been previously uncovered, deriving from logical flaws that are hard to spot in EMV’s lengthy and complex specification, running over 2,000 pages.We formalize a comprehensive symbolic model of EMV in Tamarin, a state-of-the-art protocol verifier. Our model is the first that supports a fine-grained analysis of all relevant… Expand

Figures and Tables from this paper

Card Brand Mixup Attack: Bypassing the PIN in non-Visa Cards by Using Them for Visa Transactions
This paper shows that it is possible to induce a mismatch between the card brand and the payment network, from the terminal’s perspective, and extends the formal model of the EMV contactless protocol to machine-check fixes to the issues found. Expand
Breaking and Fixing Unlinkability of the Key Agreement Protocol for 2nd Gen EMV Payments
A strong definition of unlinkability is adopted that does account for active attackers and an enhancement of the protocol proposed by EMVco is proposed where it makes use of Verheul certificates, proving that the protocol does satisfy strong un linkability, while preserving authentication. Expand
Mechanised Models and Proofs for Distance-Bounding
FlexiDB is proposed, a new cryptographic model for distance bounding, parameterised by different types of fine-grained corruptions, and used to exhibit a flavour of man-in-the-middle security on a variant of MasterCard’s contactless-payment protocol. Expand


Chip and Skim: Cloning EMV Cards with the Pre-play Attack
How the vulnerability was detected, a survey methodology developed to chart the scope of the weakness, evidence from ATM and terminal experiments in the field, and the implementation of proof-of-concept attacks are described, which discuss countermeasures. Expand
Formal Analysis of the EMV Protocol Suite
This paper presents a formal model of the EMV (Europay-MasterCard-Visa) protocol suite in F# and its analysis using the protocol verification tool ProVerif in combination with FS2PV, which is the first comprehensive formal description of EMV. Expand
Chip and PIN is Broken
This paper describes and demonstrates a protocol flaw which allows criminals to use a genuine card to make a payment without knowing the card’s PIN, and to remain undetected even when the merchant has an online connection to the banking network. Expand
Cloning Credit Cards: A Combined Pre-play and Downgrade Attack on EMV Contactless
This paper introduces an attack scenario on EMV contactless payment cards that permits an attacker to create functional clones of a card that contain the necessary credit card data as well as pre-played authorization codes. Expand
A Comprehensive Symbolic Analysis of TLS 1.3
The most comprehensive, faithful, and modular symbolic model of the TLS~1.3 draft 21 release candidate is constructed, and an unexpected behaviour is revealed, which is expected to inhibit strong authentication guarantees in some implementations of the protocol. Expand
Keep Your Enemies Close: Distance Bounding Against Smartcard Relay Attacks
A new defence based on a distance bounding protocol is described and implemented, which requires only modest alterations to current hardware and software and could provide cost-effective resistance to relay attacks, which are a genuine threat to deployed applications. Expand
A Formal Analysis of 5G Authentication
This work provides the first comprehensive formal model of a protocol from the AKA family: 5G AKA, and finds that some critical security goals are not met, except under additional assumptions missing from the standard. Expand
Operational Semantics and Verification of Security Protocols
A tool set called Scyther is developed that can automatically find attacks on security protocols or prove their correctness and is ideally suited both for researchers and graduate students of information security or formal methods and for advanced professionals designing critical security protocols. Expand
Know Your Enemy: Compromising Adversaries in Protocol Analysis
A symbolic framework, based on a modular operational semantics, for formalizing different notions of compromise relevant for the design and analysis of cryptographic protocols is presented, and the concept of a protocol-security hierarchy is introduced, which classifies the relative strength of protocols against different adversaries. Expand
Post-Collusion Security and Distance Bounding
The notion of post-collusion security is introduced, which verifies security properties claimed in sessions initiated after the collusion occurred, and is used to analyse terrorist fraud on protocols for securing physical proximity, known as distance-bounding protocols. Expand