Chip and Pin is Broken (Again)

In theory, EMV or “Chip and PIN” -enabled credit cards are more secure because they are hard to copy (what's called skimming) -- but four researchers have shown yet another way to defeat the technology.

Created by a combination of EuroPay, MasterCard and Visa , the EMV algorithm embedded on a chip within a card is designed to combat face-to-face fraud. By inserting the EMV-enabled card and typing in a password at the Point of Sale terminal, the customer is demonstrating to the merchant that he or she is authorized to use that card. EMV doesn’t attempt to protect credit card data in motion or at at the merchant. Nor does Chip and PIN address “Card Not Present” (CNP) fraud.

Card brands in Europe and Asia are pushing Chip and PIN adoption. To entice merchants to adopt, in the UK, fraud liability shifts from the merchant to the banks if the merchant uses EMV. The catch is that consumers actually face increased liability for EMV transactions: they now have to prove they weren't shopping when and where the fraud occurred.

Speaking at last month's CanSecWest security conference in Vancouver, British Columbia, researchers Andrea Barisani and Daniele Bianco, both of Inversepath, and Adam Laurie and Zac Franken, both of Aperture Labs, demonstrated numerous ways the EMV or Chip and PIN system could be defeated. They built on previous work done by Ross Anderson and Cambridge University last year.
The four researchers focused on skimming the EMV chip itself —something that should not be possible. In fact, the researchers found it rather easy.

From their slide deck

we predict that skimming the chip will become an extremely
appealing target to fraudsters
--the chip interface is inherently accessible
--it becomes impossible for the user to verify if the terminal has
been tampered as the chip interface is not visible (unlike most
magstripe one for POS terminals)
--an EMV skimmer could go undetected for a very long time
and requires little installation effort

Chip and PIN isn’t prevalent in the United States yet, in part because of the costs in upgrading six million merchants and hundreds of millions of cards, and also perhaps because of attacks like the one above, which call into question whether the more expensive technology provides any real security benefits. What's becoming more likely is that the US ”skips” Chip and PIN generation technology altogether, with mobile payments becoming the new domestic de facto standard.