17 December 2017
Matt Scott

Matt Scott

Matt Scott - RenovITe Technologies Inc

13Posts 67,521Views 145Comments

Flaws in EMV Chip and PIN

11 February 2010  |  5773 views  |  1

This evening I amused myself by watching another group of Cambridge University Students prove security loophole in the EMV Chip & PIN System.

Obviously the BBC heavily edited the clips to try and prevent Joe Public from knowing what exactly is taking place but the setup appeared to involve an Smart Card Reader, a bunch of cable, a laptop and a wired Smart Card.  

The whole process is basically a man-in-the-middle attack and spoofs the genuine card into thinking that the Card Verification Method (CVM) for a given transaction was Chip & Signature but the wired Spoof Card has interacted with a POS as if it were a Chip & PIN Transaction.

What the Cambridge University students neglected to inform joe public:

* Issuer Action Codes (IAC) could be updated via an EMV Script to a whole estate of Cards in Issue to prevent this from occurring (i.e. remove Signature as a CVM for EMV based transactions).

* The Whole Process relies on the fact the Fraudsters have access to an original EMV Card (i.e. they haven't cloned a card) - Cardholders are responsible for reporting a Lost or Stolen Card Immediately - having done this the Card will be Blocked Online - limiting Fraud Exposure to transactions below the offline floor limit (normally after 3 offline transactions a card is forced to authorise online).

* Once a "Blocked" Lost or Stolen Card does go online a Script will be downloaded to Block the EMV Application or the Whole EMV Card, the Magnetic Stripe will also be declined if an attempted transaction goes online.

* The Card Host should respond to online transactions with a Capture Decline - i.e. the Merchant/ATM/Unattended Payment terminal should retain the card.

Rant in e minor over...

 

http://news.bbc.co.uk/1/hi/sci/tech/8511710.stm

http://www.bbc.co.uk/blogs/newsnight/susanwatts/2010/02/new_flaws_in_chip_and_pin_syst.html

TagsCardsSecurity

Comments: (1)

Steven Murdoch
Steven Murdoch - University College London - London | 12 February, 2010, 01:37

Matt,

The BBC footage couldn't contain much detail, if only due to time constraints. They had to cut down two days of filming into a seven minute package. For further information, I'd refer you to the paper, and FAQ.

I do think that these clearly state the limitations of the attack, including that it only works for stolen cards, and that these can be canceled. However, in practice, it does take customers quite a while to notice, especially if their card has been stolen from home rather than their wallet. This, along with mail non-receipt, was after all the reason that PIN-based cardholder verification was introduced in the first place.

I don't think changing the IAC to require PIN is a feasible solution because some terminals do not have a PIN pad, and merchants consider it desirable to fall back to a signature sometimes. The solution we suggest in the paper is for the issuer to cross-check the card verification results (CVR) against the cardholder verification method results (CVMR). This would prevent the attack while still permitting the terminal to opt for non-PIN transactions if necessary.

Steven.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Matt

Demystifying the Omni-Channel confusion

03 September 2016  |  8855 views  |  0 comments | recomends Recommends 0

ATM Shimming and The Death of EMV 2

31 August 2015  |  11683 views  |  3 comments | recomends Recommends 1 TagsCardsPaymentsGroupBusiness Knowledge for IT

UK Mobile Proximity Payments 2015

10 August 2015  |  6136 views  |  1 comments | recomends Recommends 0 TagsCardsMobile & onlineGroupInnovation in Financial Services

Will Host Card Emulation save NFC?

14 August 2014  |  3539 views  |  0 comments | recomends Recommends 1 TagsCardsMobile & onlineGroupInnovation in Financial Services

Pace of Change and Innovation

01 October 2013  |  3534 views  |  1 comments | recomends Recommends 0 TagsCardsPaymentsGroupBanking Architecture

Matt's profile

job title Chief Technology Officer
location London
member since 2009
Summary profile See full profile »
Leading the development of new software platforms and services.

Matt's expertise

Member since 2009
13 posts145 comments

Who's commenting on Matt's posts