Italian researchers claim to have found a serious security flaw which enables skimming devices to steal data from chip and PIN cards at point-of-sale terminals and ATMs.
In a presentation at the CanSecWest security conference earlier this month, the researchers from InversePath declared that chip and PIN is "definitely broken" and skimming will become "extremely appealing" to fraudsters.
The group built a prototype skimming device which it says can be easily installed at any POS terminals or ATMs, is virtually impossible to spot and uses the machines to power itself.
EMV cards talk to payment terminals via application protocol data unit (APDU) messages for reading records and issuing commands. InversePath says skimmers can intercept and read every part of the terminal-ICC exchange.
Crooks can then download the data with a special card recognised by the skimmer and use it to perform online transactions that do not require users to give the CVV numbers on the back of their cards.
View the presentation slides here:
Download the document now 2 mb (PDF File)