Join the Community

21,976
Expert opinions
44,115
Total members
453
New members (last 30 days)
169
New opinions (last 30 days)
28,669
Total comments

Flaws in EMV Chip and PIN

  0 1 comment

This evening I amused myself by watching another group of Cambridge University Students prove security loophole in the EMV Chip & PIN System.

Obviously the BBC heavily edited the clips to try and prevent Joe Public from knowing what exactly is taking place but the setup appeared to involve an Smart Card Reader, a bunch of cable, a laptop and a wired Smart Card.  

The whole process is basically a man-in-the-middle attack and spoofs the genuine card into thinking that the Card Verification Method (CVM) for a given transaction was Chip & Signature but the wired Spoof Card has interacted with a POS as if it were a Chip & PIN Transaction.

What the Cambridge University students neglected to inform joe public:

* Issuer Action Codes (IAC) could be updated via an EMV Script to a whole estate of Cards in Issue to prevent this from occurring (i.e. remove Signature as a CVM for EMV based transactions).

* The Whole Process relies on the fact the Fraudsters have access to an original EMV Card (i.e. they haven't cloned a card) - Cardholders are responsible for reporting a Lost or Stolen Card Immediately - having done this the Card will be Blocked Online - limiting Fraud Exposure to transactions below the offline floor limit (normally after 3 offline transactions a card is forced to authorise online).

* Once a "Blocked" Lost or Stolen Card does go online a Script will be downloaded to Block the EMV Application or the Whole EMV Card, the Magnetic Stripe will also be declined if an attempted transaction goes online.

* The Card Host should respond to online transactions with a Capture Decline - i.e. the Merchant/ATM/Unattended Payment terminal should retain the card.

Rant in e minor over...

 

http://news.bbc.co.uk/1/hi/sci/tech/8511710.stm

http://www.bbc.co.uk/blogs/newsnight/susanwatts/2010/02/new_flaws_in_chip_and_pin_syst.html

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Join the Community

21,976
Expert opinions
44,115
Total members
453
New members (last 30 days)
169
New opinions (last 30 days)
28,669
Total comments

Trending

Brian Mahlangu

Brian Mahlangu VP Product: Digital Platforms Mobile at Absa Bank, CIB.

The Secure Fingerprint: Why Biometrics Have Become Essential for Corporate Clients

Roman Eloshvili

Roman Eloshvili Founder and CEO at XData Group

How Fintech Can Be Harnessed to Help Startups Grow

Dennis Buckly

Dennis Buckly Fintech Writer/Analyst at House of Ventures

5 Learning platforms that can help Fintech Professionals work with AI

Now Hiring