There's a push to adopt chip-equipped payment cards in the U.S. following high-profile breaches at large retailers and restaurant chains during the past 12 months, but experts warn that switching to this payment system will not make fraud disappear.
The EMV (Europay, MasterCard and Visa) standard is widely deployed around the world, and for the past 10 years or so it has been the de facto payment card system in Europe, where it's also known as chip-and-PIN. The cards authenticate with ATMs and payment terminals using the combination of a customer PIN and information stored securely on an integrated circuit.
In order to drive EMV adoption in the U.S., the credit card brands plan to shift liability in October 2015, after which parties that haven't deployed the system will be held liable for fraudulent transactions.
However, the EMV specification suffers from both regulatory and security issues, some of which have already been exploited in real-world attacks, according to Ross Anderson, a security engineering professor at Cambridge University with 25 years of experience in payment systems security.
During a talk on Thursday at the Black Hat security conference in Las Vegas, Anderson highlighted some of the attacks that are possible against existing EMV implementations. Banks have tried to downplay these as impractical or too complex for cybercriminals to launch, he said.
The "preplay" and "no PIN" attacks are two examples. In a "preplay," a card inserted into a rogue payment terminal can be charged for a transaction that's done with a fraudulent card at a terminal somewhere else in the world. In the "no PIN" attack, a criminal uses a stolen card that's wired to a portable device with a rogue card inserted into it. That lets the attacker bypass PIN verification at POS (point-of-sale) terminals in order to authorize rogue transactions.
More recently, Anderson's team at Cambridge discovered that many EMV-capable ATMs and payment terminals generate random numbers in a predictable manner. This allows someone with temporary access to a credit card, such as a waiter, to calculate authentication codes that then can be used for transactions in the future. Worse, a rogue or compromised POS terminal can generate authentication codes for a card inserted into it, and those codes can later be used to authorize additional rogue transactions.
Some of these attacks don't stem from issues in the EMV standard itself, but rather from the poor implementation of it by payment terminal vendors, according to Anderson. Banks don't have enough incentive to act, because liability for fraud shifts to the merchants if EMV is not used in a transaction and to consumers if EMV is used with the correct PIN number, he said.
Sign up for Computerworld eNewsletters.