Chip and PIN 'broken' - researchers

Italian researchers claim to have found a serious security flaw which enables skimming devices to steal data from chip and PIN cards at point-of-sale terminals and ATMs.

  0 8 comments

Chip and PIN 'broken' - researchers

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

In a presentation at the CanSecWest security conference earlier this month, the researchers from InversePath declared that chip and PIN is "definitely broken" and skimming will become "extremely appealing" to fraudsters.

The group built a prototype skimming device which it says can be easily installed at any POS terminals or ATMs, is virtually impossible to spot and uses the machines to power itself.

EMV cards talk to payment terminals via application protocol data unit (APDU) messages for reading records and issuing commands. InversePath says skimmers can intercept and read every part of the terminal-ICC exchange.

Crooks can then download the data with a special card recognised by the skimmer and use it to perform online transactions that do not require users to give the CVV numbers on the back of their cards.

View the presentation slides here:

Download the document now 2 mb (PDF File)
Sponsored [On-Demand Webinar] Global Workforce Payments: Mastering a world of complexity

Comments: (8)

A Finextra member 

Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha.

So, chip and PIN is broken, because there are some online merchants who break the card scheme rules?

Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha.

A Finextra member 

Not sure what the first commentator was laughing about.

Skimming devices are certainly big business in fraudster circles. Looking at these, I doubt many would notice them.

Back when I used to work on ATM's in banks, I often used to see card inserted into empty card holes when the ATM was open.

Technology works for both sides, doesn't it?

 

Adam Nybäck

Adam Nybäck System Developer at Anyro

@Neil Chip skimming is only interesting if you can use the data to produce a new chip that mimics tha original.

If all you want are card number and expiry date it's enough to have a camera since they are both printed on the card.

A Finextra member 

How does getting the card PAN and expiry date compromise Chip & PIN Security?  Slightly misleading headine I think!

The PAN and exp date should not even work online without the CVV on the back of the card... the issuer should be validating the CVV. If not present/correct on a MOTO tran, the tran should be declined

A Finextra member 

I am not sure why the second commentator, if he doesn't understand why the first commentator is laughing so heartily, is in the card security business!

 

A Finextra member 

More US Sponsored drivel.  More scaremongering.  When can we see factual based fraud discoveries instead of speculative academic exercises? 

 The cost and technical prowess required to skim a chip rather than a magnetic stripe make the type of attack detailed unlikely.

 As the writer correctly observed – there are mechanisms in place to ensure that, should chip data be compromised, a dummy/clone mag stripe card could not be created (iCVV being one example).  However – the author neglected to observe that often Multi-Application Chip Cards use Alternate PAN’s to Identify Differing Applications (from what is considered the Primary or Default Application).

 Issuers are slowly beginning to patch holes in their Authorization systems – such as the ability to compare TVR, CVM and CVR Data to ensure a Man-in-the-Middle attack has not altered the data.

 It has been known for a while that SDA Cards are significantly weaker than DDA or CDA Alternatives – this is why most issuers in the Western world are transitioning away from SDA.

 Initially Chip & PIN was believed to be able to reduce Transaction load on Authorization systems as it was expected that there would be an increase in under-the-floor-limit offline transactions.  However the opposite occurred – mainly because Issuers were lazy in the configuration of their EMV ICC Logic and partially because they lacked the ability to make advanced parameter changes using post-issuance scripting.  

A Finextra member 

Haha,

So true Dave, but I can see the Americans: 'omg! are you saying that everyone can have my PIN if I use my Chip card? So I'll have to smack those chips with a hammer just like I did with all my RFID too?'

Anyway, skimming is not an Issue if noone figured out how to counterfeit those babies, innit?

A Finextra member 

Well, if it is broken fraudsters are being unusually slow to cotton on to the fact. UK card fraud fell 17% last year and is at its lowest level since 2000. They must be on their hols.

[New Report] Managing Fraud Risks with Synthetic Data: A Practical Approach for Businesses ServicesFinextra Promoted[New Report] Managing Fraud Risks with Synthetic Data: A Practical Approach for Businesses Services Industry