Government ID, Smart Cards, Identification and Authentication

EMV hack may be overstated

Monday, February 15, 2010

Researchers at the University of Cambridge in the UK released a report claiming to have identified vulnerabilities with the EMV payment scheme. Industry organizations are meanwhile defending the technology, saying the hack would be difficult to pull off in the real world.

The attack uses a fake chip card connected with wires to custom electronics, a computer with specially designed software, and a stolen EMV chip & PIN card. The fake card and equipment sit between the stolen card and the point-of-sale terminal; the attack fools the terminal into thinking that the correct PIN had been presented and makes the stolen card believe that no PIN was required.



The Smart Card Alliance has reviewed the hack along with other industry organizations and concluded that widespread implementation of this attack is unlikely and that there is no evidence that the attack described has happened in the real world.


These conclusions are supported by the following points:

  • The attack requires the use of a stolen EMV card that has not yet been reported as stolen; this limits the scalability of this type of fraud since it must be done with one card at a time and in a potentially short window of time.
  • The combination fake card and stolen chip & PIN card cannot be used in an ATM for a cash withdrawal, as ATMs rely on an online PIN verification.
  • The fraud requires using a fake chip card with wires coming out of it, running up the sleeve of the fraudster and connecting to a hidden circuit board, computer and stolen EMV card, making detection likely at an attended merchant point-of-sale.
  • The attack is technically difficult, requiring highly sophisticated software and customized hardware that could only be created by individuals with extensive knowledge of EMV protocols.
  • Countermeasures are already available, either in EMV, within payment system products and networks, or within issuer host systems.
  • Electronic audits of data from suspected transactions would protect cardholders and merchants from responsibility for fraudulent charges made to their card with this type of attack, if reported properly.

Additionally, such an attack would not compromise the smart card as the PIN would still remain secure inside the card. [end] 

Related Articles
Cryptomathic chosen to provide authentication to Irish Life & Permanent Bank

Irish Life & Permanent (IL&P) financial service provider has selected Cryptomathic’s two-factor authentication solution to protect its customers against remote banking threats.

The Cryptomathic Authenticator was chosen because of its ability to integrate into the bank’s existing back-end infrastructure by operating as a standalone service. Additionally, the solution can interface with the IL&P’s two distinct internal systems: Open24 internet banking platform and GTX telephone banking system.

read more »
PhoneFactor announces e-banking authentication product

PhoneFactor Inc. has added authentication for online banking to its list of service features. The company has introduced the Universal Banking Gateway and added another secure layer to online banking functions.

read more »
Kobil's smart card reader hacked using unsigned firmware

H Security reports that Kobil’s smart card readers have been hacked with a Windows tool and unsigned firmware, granting thieves access to PINs and other secure data.

read more »
Global Rainmakers and Tech Imagine bring biometric banking to Latin America

Global Rainmakers (GRI) has partnered with Tech Imagine, a document scanner technology company, to provide iris-based biometric solutions to Tech Imagine’s banking industry customers in Latin America and the Caribbean. The hope for Tech Imagine is to establish pilot programs utilizing GRI’s iris recognition technology at banks that are currently using Tech Imagine technology such as their check scanners.

read more »
Ceelox completes online authentication prototype

Ceelox has announced that it has finished development of a prototype application that would use Ceelox’s fingerprint biometrics to enable biometric authentication in online environments such as corporate intranets, cloud computing networks and commercial applications like online banking and other personal account-based access.

read more »
Citi's U.S. head of online and mobile banking resigns

Liza Landsman has resigned as Citigroup’s U.S. head of online and mobile banking after only a year of directing its consumer internet and mobile division, according to finextra.com.

read more »

Copyright © 2010, AVISIAN, Inc. All rights reserved.