Study: Chip-and-PIN is Broken
If you’ve heard of chip-and-PIN credit cards, you probably know that they’re prevalent in Europe, Canada, and Asia and are considered to be vastly superior to the magnetic stripe cards used in the United States, primarily due to their reputation as being more adept at fraud prevention. But what if chip-and-PIN technology isn’t as secure as everyone thinks?
Unfortunately, this isn’t a hypothetical scenario, as a group of computer scientists at Cambridge have apparently discovered a significant flaw in the EMV protocol on which chip-and-PIN technology is based that could threaten the entire system. In a 2010 report titled “Chip-and-PIN is Broken,” Steven J. Murdoch, Saar Drimer, Ross Anderson, and Mike Bond explain how fraudsters can use fairly basic technology to turn stolen or copied credit cards into conduits to free dough by essentially fooling the payment terminal.
While you might assume that US consumers are insulated from this type of fraud, more and more US banks are expected to issue chip-based cards in the coming years, and the US payments industry also appears poised to incorporate aspects of the EMV standard into its existing infrastructure in order to accommodate chip-based contactless payments. Don’t you want to be aware of what’s in store for you?
How Fraudsters Can Beat EMV
It’s called a “wedge” or “man-in-the-middle” attack and takes advantage of the fact that when a card is inserted into a payment terminal, a negotiation takes place between the card and the terminal over whether the transaction should be verified by PIN, signature, or simply by the computer chip embedded within the card. A device, easily built by someone with a bit of technical know-how and potentially sold on the black market, intercepts the communication, tricking the terminal into thinking a PIN verified the transaction and the card into thinking that a signature did so. This results in the transaction getting approved by the bank as well as a corresponding receipt that reads “Verified by PIN.”
The team demonstrated the practical effectiveness of this technique for European media, using the journalists’ own cards to make fraudulent purchases as cameras rolled. Interestingly, this workaround can be effective even when the Point-of-Sale (POS) terminal contacts the cardholder’s bank for verification, as the red flags that would indicate a wedge attack could be practically difficult to spot and banks generally don’t check for them anyway. Once a stolen card is cancelled, the subterfuge isn’t possible, but thieves still have a window in which to do damage while consumers notice that their cards are missing and contact their banks.
What’s to Blame?
“In essence, there is a gaping hole in the specifications which together create the ‘Chip and PIN’ system,” wrote Ross Anderson, a member of the Cambridge research team, in a 2010 briefing paper. “Each spec defines security criteria, tweaks options and sets rules – but none take responsibility for listing what back-end checks are needed. As a result, hundreds of issuers independently get it wrong, and gain false assurance that all bases are covered from the common specifications. The EMV specification stack is broken, and needs fixing.”
The Cambridge team’s worries at the time their study was published centered on the fact that UK laws placed the onus for fraud squarely on the consumer, which spoke to the perceived infallibility of chip-and-PIN technology. Since that time, new laws have been introduced that require banks to prove consumer negligence in order to hold consumers liable for fraudulent charges, but a bank may not believe someone who claims not to have entered a PIN when their receipts say otherwise.
What’s more, European authority figures have not done much to solve the problem, both because of the financial implications of doing so and because many industry insiders have denied that there is much of a problem to begin with.
Jack Jania, senior vice president and general manager of secure transactions for Gemalto, Inc., a Netherlands-based smartcard manufacturer, says that the complexity of the attack makes it not feasible for your average criminal and predicts that it will be a moot point in the coming years anyway.
“It was a great science experiment, but in practice, it’s just not practical,” he said before pointing out that as more of the world becomes reliant on chip-and-PIN technology, the problem will go away given that it’s based on an exploitation of the current system’s attempt to accommodate less secure verification methods (i.e. those verified by signature).
Nevertheless, there’s something to be said for the fact that payments industry players tried to pressure Cambridge into removing the study from its website, presumably to avoid having to undergo costly fixes to the issue.
“The flaws in the … payment protocol design are simple enough but fixing them appears to be intractable because of the incentives facing different actors,” Anderson wrote in a 2012 paper titled “Risk and privacy in payment systems,” which he presented at a Federal Reserve Bank payments conference. “Governance is hard in a payment system involving hundreds of vendors, tens of thousands of banks and millions of merchants. Everyone wants to cut costs and customize systems, both of which undermine security; and when a systemic vulnerability emerges, no one will step up to the plate.”
Practical Implications for US Travelers
So what does this mean for US consumers in light of the fact that EMV technology has yet to gain much traction domestically?
Well, international travelers with a chip-and-PIN credit card from Diner’s Club, Travelex, or one of the few credit unions that has made them available could be at risk. There are also broader implications for the future of fraud prevention technology in the US.
“We’re really worried that if something isn’t done to fix this problem, and the many others we’ve found in EMV, other regions adopting it (like the USA) are going to make the same mistakes again and again,” Anderson wrote, “and that means customers stay vulnerable.”
Was this article helpful?