Chip & PIN Is Definitely Broken

Researchers in an update talk at Hack In The Box conference in Amsterdam found yet another hole with EMV-enabled credit cards: online merchants don't check the security code on the card.

EMV—an algorithm created by EuroPay, MasterCard and Visa-- embedded on a chip within a credit card and is designed to combat face-to-face fraudIn their talk. But researchers Andrea Barisani and Daniele Bianco, both of Inversepath, and Adam Laurie and Zac Franken, both of Aperture Labs, found specific ways in which the card could be used for online fraud. Their talk was an update of their CanSecWest presentation in March in which they showed ways to circumvent POS security.

From their presentation

Application data can be used to perform Card Not Present transactions (online, phone, ...) with parties that do not check Card Security Code (CVV, CVV2,...) and do not employ 3-D secure (Verified by Visa, MasterCard SecureCode also known as phishing heaven)

If you think that the amount of websites that do not check the security code is negligible...think again

Ironically one of the authors has been defrauded on such sites while this presentation was being written...

The US has yet to adopt EMV and with the launch of NFC-based Google Wallet and with similar initiatives expected from other financial services companies, it seems likely that NFC may soon replace magnetic strip and EMV credit cards worldwide.