Man in the middle attack vulnerability in PIN based EMV bank card processing

probe

This document describes a man in the middle attack vulnerability in the EMV payment card - which includes virtually all payment cards issued in IRL (aside perhaps from AmEx and DC).

When you use an EMV card at an ATM, the PIN you enter is sent to the card issuer along with other details of the proposed transaction in order to get an authorization code.

When you use an EMV card in a retail shop, the PIN you enter is validated by the card – and not transmitted to the card issuer.

This leaves the door open for someone to insert their kit between your (stolen) card and a (co-operative or negligent) retailer’s card terminal. The thing in the middle reports to the card terminal that the cardholder has entered the correct PIN. In reality any or no PIN needs to be entered.

The risk for cardholders is that their card is stolen, fraudulently abused in this way, and high value transactions charged to their account and authorized. If the cardholder claims afterwards that the card was stolen – the issuing bank will say that the transactions had the correct PIN and claim that the cardholder must have divulged the PIN to the thief (eg wrote the PIN in the signature zone or left it on a piece of paper in their wallet etc).

Leaving the cardholder with a large hole in his bank account and little legal redress.

PIN “authenticated” transactions are very hard to disclaim, because the EU bureaucrats (and their political “masters”) have made them sacrosanct by directive (taking the burden off the retailer and card issuer and putting it effectively on the cardholders’ shoulders).

I’d suggest that one keeps this document – it may be useful evidence in court if one falls victim of a bank that claims their card and PIN were used in transactions they had no knowledge or part in.

http://www.cl.cam.ac.uk/research/security/banking/nopin/oakland10chipbroken.pdf

eddhorse

Thanks, good link and info, interesting indeed.