The End of the Line For EMV SDA

December 15th, 2008

Are we about to see the demise of SDA or Static Data Authentication?

There is growing evidence that the end is near for SDA. It has served us well for the last 10 years, and provided a low cost solution to allow banks around the world to start the migration from magnetic stripe cards to EMV chip cards.

So what is SDA? Please click here if you want to read more about SDA, and how DDA solves the looming problem to which SDA exposes the card industry. EMV Offline Data Authentication

Since the middle of 2008 it appears there has been a significant increase in the amount of fraud activity in the magnetic stripe card world. Evidenced by an almost alarming jump in the harvesting of magnetic stripe data and the capturing of PINs which are then used to produce counterfeit magnetic stripe bank cards. Interestingly, the UK, a 100% chip acceptance market, has been at the centre of all this activity, and is often where the cards are being compromised.

To date it is the magnetic stripe technology that is being attacked. Counterfeit cards with copied magnetic stripes are taken to markets where there are no or few EMV terminals and ATMs, and successfully used in magnetic stripe terminals. This is done because where the copied magnetic stripe is skimmed from a chip card, the counterfeit card would not work in EMV terminals and ATMs because the magnetic stripe is encoded to indicate chip capability and this means the card must be read from the chip and not the magnetic stripe.

The alternative for fraudsters is to put the counterfeit magnetic stripe copied from a chip card onto a card with a “fake” chip and force what is called a fallback to magnetic stripe transaction. This is where the EMV terminal or ATM cannot read the chip on the card and so is allowed under card payment rules to allow the card to be read from the magnetic stripe. However, this alerts the issuer to potential fraud, as a fallback to magnetic stripe card is quite rightly considered a high risk transaction.

This opportunity exists while we have a magnetic stripe acceptance environment. However, as markets move to close this exposure by rolling out 100% EMV terminals and ATMs, and stopping fallback to magnetic stripe, then magnetic stripe will become increasingly difficult to attack. There will be an increasingly shrinking market to safely use counterfeit magnetic stripe cards. Fraudsters will then need to step up and start counterfeiting EMV chip cards. Today, it is only feasible to counterfeit SDA chip cards.

Up until now, the banking industry, and particularly the UK banks, have been issuing SDA cards because the fraudsters still find it much easier to attack and counterfeit magnetic stripe cards. However, the first signs are appearing that the fraudsters are capable of collecting the necessary chip data from cards to produce counterfeit chip data.

Two recent events tend to suggest that we may be approaching a tipping point and deciding that SDA is too risky going forward. The first is news of more sophiticated attack methods being deployed in the UK where fraudsters are demonstrating a capability to harvest information from EMV chips at the point of sale. Refer to this article from the UK Times for more information. Gangs Develop New Chip and PIN Fraud