A Finextra member 12 September, 2012, 14:04 0 likes

Wow.  Waiting for the defence of EMV.  As you say - has far reaching legal implications for non-repudiation.   One thing - you still have to steal the card/chip, yes?  You can only (possibly) clone a valid transaction, not the chip itself?

Steven Murdoch - University College London - London 12 September, 2012, 14:35 0 likes

You don't have to steal the card, just have temporary access to it. This could be achieved by asking the customer to use the card in a tampered Chip and PIN terminal. The cryptograms could be collected either instead of the legitimate transaction, or in addition to it. Then the cryptograms could be pre-played to a vulnerable ATM or point of sale terminal.

The attack could alternatively be done by stealing the card. For example, someone could take the card, collect cryptograms, then return it. In some situations this might work better, because the customer will take longer to notice the fraud and cancel the card.

If the criminal doesn't plan to return the card, then he might as well just use the genuine one rather than a pre-play clone.

A Finextra member 12 September, 2012, 23:14 0 likes That Cambridge group are great at penetration testing (and they keep their legal department busy too - their work upsets many players in the industry, but that's a separate can of worms...) Add Contactless EMV to that equation and the picture gets even more serious. As Square clearly explained (to Verione) - consumers cannot (and should not be asked to!) tell whether a POS terminal is secure. Hence, they will happily present their cards to any terminal that sits on the counter. Possible solution, at least for ATMs - UNs must be generated by the issuers direct. The "rails" are already in place for that, in most cases (amending EMV protocol is a totally different story, though).

Nick Collin - Collin Consulting Ltd - London 13 September, 2012, 15:58 0 likes

Let's put this in perspective.  Number of successful EMV chip transactions worldwide - about 150 billion per year.  Number of proven instances of this type of pre-play attack - zero.  Realistic liklihood of this type of attack - close to zero.  Reduction in card fraud due to EMV chip - about £1 billion per year in the UK alone.  The positives somewhat outweigh the negatives I think!  But yes, it's a theoretical implementation weakness which can be easily fixed, so a useful addition to EMV deployment best practice.