That tendency to blame the card owner is based on the premise that since EMV cards -- or rather their chips -- cannot be cloned, if a fraudulent transaction is done with such a card and the correct PIN, the card owner has been negligent.
Whether U.S. banks will try to shift liability to consumers for PIN-authorized EMV transactions remains to be seen, as consumer protection in the U.S. is better than in Europe, Anderson said. EMV adoption in the U.S. will be an interesting experiment because some banks want to implement chip-and-PIN cards, while others favor a chip-and-signature model, Anderson said.
The EMV specification as it exists today is vastly complex, and vendors have made additions on top of it, which means that it's easy to make mistakes when implementing it, Anderson said. Depending on how much attention you pay, you can design a secure system using EMV or an awful one, he said.
Lucas Zaichkowsky, an enterprise defense architect at AccessData whose previous jobs involved investigating credit card breaches and assessing compliance with payment card security standards, agreed with Anderson.
"People think that if we switch to EMV, these breaches will go away, but that's not true," said Zaichkowsky, who also held a presentation about POS system architecture and security at Black Hat. During an EMV transaction, RAM-scraping malware can steal the same data that's on the magnetic stripe if the chip is not implemented correctly, and several banks don't do it properly, he said.
That data can then be used to create counterfeit magnetic stripe cards to conduct fraud in most countries, even those already using EMV because most EMV readers are also configured to accept the magnetic stripe in "fallback mode."
Even if everyone in the world would switch to chip-enabled cards and traditional magnetic stripe ones would disappear, fraud would most likely shift from card-present transactions to card-not-present transactions, such as those done online or over the phone, he said.
Fraud statistics up to 2012 actually show that this has happened in Europe since the deployment of EMV, Anderson said.
With an EMV transaction, a compromised POS terminal can still get the credit card number and expiration date, Zaichkowsky said. There are many places where this is all you need to place an order, because they don't ask for the three-digit security code or verify the billing address, he said.
This means that cybercriminals will continue to have an incentive to compromise POS terminals, even with widespread EMV deployment.
The sophisticated EMV attacks that Anderson and his team at Cambridge identified aren't widely used yet, partly because criminals have easier ways to abuse EMV cards today. That's because they're currently designed to also work with ATMs and payment terminals in countries where the system is not deployed, such as the U.S. Information captured from the magnetic stripe of a chip-equipped card can be used to create a counterfeit copy that doesn't have a chip. That cloned card cannot be used in Europe but works in the U.S., where the chip isn't needed anyway.
Sign up for Computerworld eNewsletters.