Heartbleed bug seemed to shake world of security, but what about core banking? All EMV is based on RSA certificates (X.509) being employed for SDA, DDA and CDA operations ensuring card application’s confidentiality and integrity. Heartbleed bug seemed to allow retrieval of those in some cases, should we be worried? Short answer is not at all, your private certificates are safe and so EMV is. If you want to know why, read on.
Let’s start with tiny review of what Heartbleed bug actually is about. Heartbleed bug allows to mine data stored beyond a frame of memory allocation for messages over TLS (Transport Layer Security). This is achieved by providing a heartbeat request with invalid header length, where server response returns data of that length without checking what exactly is being responded. Obviously content of retrieved buffer is very random, but due to the order of memory allocation it can potentially contain very interesting data. It was reported that this method was successfully applied to extract X.509 certificate data, user logins, password, email and even working documents. So shouldn’t we be worried? Answer is still the same, no, not at all.
See the picture from Randall Munroe below this article as it is worth a thousand words.
Where exactly are all these certificates in use in payments? We have three main places: client’s banking application, inter-bank H2H connections (Host to Host) and chain of issuer’s certificates for card production. Let’s go through those one by one:
Client’s banking application – this is the most likely the main leak in a system. Heartbleed bug can be potentially used for querying a banking service to mine memory data for any interesting information for later reuse. However there is a PCI DSS requirement for two-factor authentication for these systems which should prevent attacker from gaining an bank service access. Still, some private information can leak out about client’s account balances, card numbers, validation codes (CVVs) and more. So this type of attack wold potentially affect data exchanged in relevance to banking application – Internet facing server and CNP services using this library. In this case there is very high risk and a patch (new library) should be applied immediately.
Second in a row is Interbanking H2H connection. Host to Host connections are being used for acquirer’s transaction processing – cross banking payment authorisation. These connections are commonly carried over the open Internet infrastructure, but encapsulated under VPN or secured with a TLS (or SSL) connection. It is a good practice that these are point-to-point reliable TCP/IP connections, leaving very little space for a Man-In-the-Middle activities. Also all this secured communication is handled and filtered by Internet facing firewalls so any leak would not reveal any sensitive data anyway.
Finally – the Issuer’s Card certificates – everybody’s bank treasure as there are just few being employed and those are very important for securing EMV confidentiality. What are these for? Every card issuer has a set of X.509 private certificates, signed by a top certification authority and also by a payment network which produced card belongs to. This chain of certificates is being employed in Static, Dynamic and Combined Data Authentication operations between a card and payment terminal as part of EMV authorisation process. Result of these operations tells terminal (and card) that no one tackled with card’s internal memory and both sides can be trusted. These certificates are usually being loaded into a card production system or security device which calculates card’s security data as part of card issuing process (e.g. Thales P3). Card production systems are usually old-school mainframes and Thales is simply said – a black box. While containing very sensitive information, these backend systems are never exposed to the outside world and are certainly not using OpenSSL library.
Lots of articles can be found on how threatening the Heartbleed bug can be, having advices ranging from global password change to all Internet services to hysterical ones recommending immediate workstation disconnection from the Internet. Anyway, Heartbleed bug itself is related to only few versions of the OpenSSL library, where core banking is well known to be very conservative to Open Source as well as to updates to software which doesn’t need to be updated. Confidence and credibility of our core payment systems wasn’t threatened and there are no actions to be taken in relation to EMV card’s issuing at all.