SDA Protocol Payment Cards Remain a Target for Cybercriminals

Despite the heralded security of chip-and-PIN payment cards that follow the EMV (Europay, Mastercard and Visa) standard, some EMV cards are still undermined by the continued use of the static data authentication (SDA) protocol.

SDA is one of three protocols that can be used to authenticate transactions, along with dynamic data authentication (DDA) and combined data authentication (CDA). Among these three authentication protocols, SDA is the weakest, using the same static digital signature for each card transaction, and PIN verification is done in clear text. Researchers have already demonstrated how communication between chip cards and the point-of-sale terminals can be intercepted to recover the PIN associated with a payment card.

DDA and CDA are considered much more secure because cards based on either protocol contain a cryptographic processor that generates a dynamic signature to verify each transaction. These protocols have yet to be broken and are much more effective in holding off fraudsters, who can skim and clone data from SDA cards or conduct replay attacks.

The migration to EMV cards, meanwhile, has been a success where implemented. Visa, in February, released data that showed a 70 percent decrease in fraud for merchants that had completed their chip upgrade since December 2015. Visa also said there are 2.7 million merchant locations in the U.S. that accept chip cards, a 578 percent increase since EMV migrations began. The impetus for this rapid adoption began in October 2015 when liability for losses incurred due to fraudulent transactions shifted to merchants that did not support EMV.

SDA cards, however, remain an outstanding issue to contend with. Despite mandates from Mastercard, Visa, and other payment card companies to move away from SDA, some issuers are slow to adopt the DDA and CDA protocols given the costs of doing so, despite years of advanced notice from the card giants. Mastercard, for example, has not permitted SDA on new cards in the U.S. since the start of the EMV migration, and in most of Europe since the start of 2011. For its part, Visa mandated a ban on SDA in Europe outright, and since 2015 on new cards in the U.S., Latin America, Canada, Asia, Africa and the Middle East.

Fraudsters, meanwhile, continue to show interest in SDA. Flashpoint researchers have reported that attackers on Deep & Dark Web (DDW) forums and communities are still willing to pay for lists of cards using SDA associated with certains BINs (Bank Identification Numbers) which can be used to write stolen card data to magnetic card stripes or chips if the necessary EMV software is also available. Flashpoint analysts have observed EMV-writing software for sale that appears to be from legitimate sources, as well as software that cybercriminals claim to have created themselves. This software is often advertised alongside static BINs by some DDW vendors who claim to possess it.

Attackers understand that some SDA cards are still in use, and by targeting SDA cards using offline transactions, they don’t have to invest in cracking CDA, DDA, or the authorization request cryptogram (ARQC). ARQC is generated by cards for transactions that necessitate online authorization. The data is encrypted in transit, and the issuer responds with a generated Authorization Response Cryptogram (ARPC) in order to validate the ARQC, authorize the transaction, and verify that it is not from a skimmed card.

Cracking any of the aforementioned protocols would require significant investment and computing power. For example, CDA and DDA support RSA public key encryption, which is still considered secure and unbroken, despite some academic proof-of-concept attacks against smaller key lengths. Those capable of conducting such research and implementing their findings are likely not part of the underground carding community.

Threat actors, meanwhile, continue to express their frustration on forums with the unbroken, stronger protocols and attempt to sway potential buyers toward SDA BIN lists. Successful cloning remains another issue entirely. Flashpoint researchers say some of this depends on the issuing financial institution and its location because SDA usage varies by region. Otherwise, it’s likely the BINs are no longer valid and cashing out could be a challenge.

Flashpoint analysts, meanwhile, have high confidence that attackers will continue to target EMV cards utilizing SDA. As adoption of new mandates for CDA and DDA continue, attackers will be in a race to leverage the remaining SDA-based BINs still in the wild. Developing nations may be most at risk; with fewer resources, these regions are less likely to be in compliance.