Jorge Luis Toro Pozo


Last Name

Toro Pozo

First Name

Jorge Luis

ORCID

0000-0001-6615-1600

Organisational unit

Filters

2019 - 201912020 - 20234
Reset filters

Search Results

Publications 1 - 5 of 5
  • Inducing Authentication Failures to Bypass Credit Card PINs
    Item type: Conference Paper
    Basin, David; Schaller, Patrick; Toro Pozo, Jorge Luis (2023)
    Proceedings of the 32nd USENIX Security Symposium
    For credit card transactions using the EMV standard, the integrity of transaction information is protected cryptographically by the credit card. Integrity checks by the payment terminal use RSA signatures and are part of EMV’s offline data authentication mechanism. Online integrity checks by the card issuer use a keyed MAC. One would expect that failures in either mechanism would always result in transaction failure, but this is not the case as offline authentication failures do not always result in declined transactions. Consequently, the integrity of transaction data that is not protected by the keyed MAC (online) cannot be guaranteed. We show how this missing integrity protection can be exploited to bypass PIN verification for high-value Mastercard transactions. As a proof-of-concept, we have built an Android app that modifies unprotected card-sourced data, including the data relevant for cardholder verification. Using our app, we have tricked real-world terminals into downgrading from PIN verification to either no cardholder verification or (paper) signature verification, for transactions of up to 500 Swiss Francs. Our findings have been disclosed to the vendor with the recommendation to decline any transaction where offline data authentication fails.
  • The EMV Standard: Break, Fix, Verify
    Item type: Conference Paper
    Basin, David; Sasse, Ralf; Toro Pozo, Jorge Luis (2021)
    2021 IEEE Symposium on Security and Privacy (SP)
    EMV is the international protocol standard for smartcard payment and is used in over 9 billion cards worldwide. Despite the standard’s advertised security, various issues have been previously uncovered, deriving from logical flaws that are hard to spot in EMV’s lengthy and complex specification, running over 2,000 pages.We formalize a comprehensive symbolic model of EMV in Tamarin, a state-of-the-art protocol verifier. Our model is the first that supports a fine-grained analysis of all relevant security guarantees that EMV is intended to offer. We use our model to automatically identify flaws that lead to two critical attacks: one that defrauds the cardholder and a second that defrauds the merchant. First, criminals can use a victim’s Visa contactless card to make payments for amounts that require cardholder verification, without knowledge of the card’s PIN. We built a proof-of-concept Android application and successfully demonstrated this attack on real-world payment terminals. Second, criminals can trick the terminal into accepting an unauthentic offline transaction, which the issuing bank should later decline, after the criminal has walked away with the goods. This attack is possible for implementations following the standard, although we did not test it on actual terminals for ethical reasons. Finally, we propose and verify improvements to the standard that prevent these attacks, as well as any other attacks that violate the considered security properties. The proposed improvements can be easily implemented in the terminals and do not affect the cards in circulation.
  • SealClub: Computer-aided Paper Document Authentication
    Item type: Conference Paper
    Ochoa, Martín; Vanegas, Hernán; Toro Pozo, Jorge Luis; et al. (2023)
    ACSAC '23: Proceedings of the 39th Annual Computer Security Applications Conference
    Paper documents, where digital signatures are not directly applicable, are still widely utilized due to usability and legal reasons. We propose a novel approach to authenticating paper documents by taking short videos of them with smartphones. Our solution combines cryptographic and image comparison techniques to detect and highlight semantic-changing attacks on rich documents, containing text and graphics. We provide geometrical arguments for the security of our novel comparison algorithm, and prove that its combination with a cryptographic protocol is secure against strong adversaries capable of compromising different system components. We also measure its accuracy on a set of 128 videos of paper documents and a set of 960 synthetically generated warped documents, half containing subtle forgeries. Our algorithm finds all forgeries accurately with no false positives. The highlighted regions are large enough to be visible to users, but small enough to precisely locate forgeries.
  • Card Brand Mixup Attack: Bypassing the PIN in non-Visa Cards by Using Them for Visa Transactions
    Item type: Conference Paper
    Basin, David; Sasse, Ralf; Toro Pozo, Jorge Luis (2021)
    Proceedings of the 30th USENIX Security Symposium (USENIX Security 21)
    Most EMV transactions require online authorization by the card issuer. Namely, the merchant's payment terminal sends an authorization request to the card issuer over a payment network, typically operated by the company that brands the card such as Visa or Mastercard. In this paper we show that it is possible to induce a mismatch between the card brand and the payment network, from the terminal's perspective. The resulting card brand mixup attack has serious security consequences. In particular, it enables criminals to use a victim's Mastercard contactless card to pay for expensive goods without knowing the card's PIN. Concretely, the attacker fools the terminal into believing that the card being used is a Visa card and then applies the recent PIN bypass attack that we reported on Visa. We have built an Android application and successfully used it to carry out this attack for transactions with both Mastercard debit and credit cards, including a transaction for over 400 USD with a Maestro debit card. Finally, we extend our formal model of the EMV contactless protocol to machine-check fixes to the issues found.
  • Post-Collusion Security and Distance Bounding
    Item type: Conference Paper
    Mauw, Sjouke; Smith, Zach; Toro Pozo, Jorge Luis; et al. (2019)
    Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security
Publications 1 - 5 of 5