Join the Community

21,976
Expert opinions
44,115
Total members
453
New members (last 30 days)
169
New opinions (last 30 days)
28,669
Total comments

Chip and PIN is broken

  0 13 comments

There was a 9-minute film on Newsnight yesterday evening (available online) showing some research by Saar Drimer, Ross Anderson, Mike Bond and me. We demonstrate a middleperson attack on EMV which lets criminals use stolen chip and PIN cards without knowing the PIN.

Our technical paper “Chip and PIN is Broken” explains how. It has been causing quite a stir as it has circulated the banking industry privately for over 2 months, and it has been accepted for the IEEE Symposium on Security and Privacy, the top conference in computer security. (See also our FAQ, press release, and summary from the BBC.)

The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it’s doing a chip-and-signature transaction while the terminal thinks it’s chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists’ cards. The transactions went through fine and the receipts say “Verified by PIN”.

It’s no surprise to us or bankers that this attack works offline (when the merchant cannot contact the bank). But the real shocker is that it works online too: even when the bank authorisation system has all the transaction data sent back to it for verification.

Read more at Light Blue Touchpaper...

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Join the Community

21,976
Expert opinions
44,115
Total members
453
New members (last 30 days)
169
New opinions (last 30 days)
28,669
Total comments

Trending

Brian Mahlangu

Brian Mahlangu VP Product: Digital Platforms Mobile at Absa Bank, CIB.

The Secure Fingerprint: Why Biometrics Have Become Essential for Corporate Clients

Roman Eloshvili

Roman Eloshvili Founder and CEO at XData Group

How Fintech Can Be Harnessed to Help Startups Grow

Dennis Buckly

Dennis Buckly Fintech Writer/Analyst at House of Ventures

5 Learning platforms that can help Fintech Professionals work with AI

Now Hiring