I think the report from the University of Cambridge is very interesting and raises some very valid points, despite the fact that it is quite theoretical and could only work in a specific set of circumstances.
There are a number of options that the banking community has to prevent fraud of this nature.
1. Do not allow EMV cards to be verified by signature, unless there are specific circumstances such as the card-holder is travelling overseas, or if signature is required because a physical disability means PIN isn’t an option. This could be rolled
out by the banks checking the Card Verification Results during the authorisation process. (Card Verification Results are unaffected by this attack and give a true report of whether the offline PIN was verified by the card.)
2. The report suggests comparing the Cardholder Verification Method Results (CVMR) with the data contained within the Card Verification Results (CVR) file, to ensure they report the same verification method. Currently the CVMR data doesn’t always
get passed from the acquirer to the issuer, however if it were mandated by the card schemes, this could come into effect quite quickly. For the issuing banks, once they have all the information, it is a simple job to add one more step in the authorisation
process to compare the files.
3. Again, by checking the CVR information, banks can implement a ‘floor limit’ for all EMV transactions that haven’t been PIN verified, so there is a cap on the amount that could ever be spent
As an industry we often talk about trying to keep up with the fraudsters but many banks have done little with EMV since their initial implementations. A full review of the capabilities available particularly in authorisations and risk will mean it is the
fraudsters who will be playing catch up as the industry identifies and blocks further potential holes before fraudsters even know they exist.