Critical security flaw discovered in Chip and PIN credit card authorizations
February 14, 2010
Internet security experts from around the globe have demonstrated a critical and systemic security flaw in Chip and PIN credit card authorization systems which greatly undermines trust in the technology as a means to verify and authenticate bonafide online retail purchases.
One of the most prominent security groups to discover the security hole was Cambridge University researchers. They succeeded in demontrating how it's relatively easy to trick any credit card into thinking it is doing a chip-and-signature transaction while the terminal still thinks it is authorized by chip-and-PIN.
The security hole then creates a means to make transactions that are "Verified by PIN" using a stolen but uncancelled credit card without even knowing the PIN number.
Criminals would then insert a wedge between the stolen card and terminal, tricking the terminal into believing that the PIN was correctly verified.
It isn't surprising that the attack works when a terminal is offline but it works even when the terminal is connected and that's what is really troubling about this latest discovery. Credit card victims of fraud who complain of phantom transactions are then denied refunds in cases where a purchase is PIN verified.
These attacks fully undermine the whole faith process in the banking industry’s claim that its systems are secure when in fact they are not.
The research and analysis was performed by Steven Murdoch, Saar Drimer, Ross Anderson and Mike Bond, all senior researchers at the Computer Laboratory, University of Cambridge, and is due to be presented at the IEEE Symposium on Security and Privacy conference in Oakland in May.
Overall, researchers from the University of Cambridge demonstrated the attack in an episode of the BBC Newsnight program last Thursday night.
Saar Drimer warns "the technical sophistication for carrying out this attack is low, and the compact equipment will not be noticed by shop staff. A single criminal can develop and industrialize a kit to be used by others who do not need to understand how the attack works. This would in fact create a secondary market for such illegal terminals.”
The "man-in-middle" attack outlined by the Cambridge researchers doesn’t work at ATMs but it can work regardless of the amount spent in retail transactions, and on most PoS (point of sale) terminals. The security shortcomings apply to all credit cards based on EMV (Eurocard Mastercard Visa), the most widely deployed standard for smartcard payments, which is used by millions of credit and debit cards, mostly in Europe.
"As a security research group, we’re terribly worried that if something isn’t done to fix this problem rapidly, and the many others we’ve found in EMV, other regions adopting it, like in the U.S., are going to make the same great mistakes over and over and that means consumers will be even more vulnerable than they are now."
"In a nutshell, there is a huge hole in the specifications which together create the 'Chip and PIN' system. Structurally, the EMV specification stack is terribly broken, and needs to be addressed and repaired fast," the researchers conclude.
"We don’t want people keeping their money in shoe boxes, but we do want the problems fixed and fixed rapidly. That means getting decent governance for the system that involves all the stakeholders: banks, regulators, merchants and, lastly but not least, the consumers."
Source: Cambridge University.
You can link to the
Internet Security web site as
much as you like. Read our section on how your company can participate in our
reciprocal link exchange program
and increase your rankings
in the major search engines such as