Emerald Business Systems Blog

Researchers find huge weakness in European payment cards

Posted in PCI,POS,Security by ebs4pos on February 14, 2010

Hundreds of millions of payment cards throughout Europe have a flaw that could allow criminals with a stolen card to enter any random PIN to complete a transaction, according to researchers from the University of Cambridge.

The findings, which will be presented at the IEEE Symposium on Security and Privacy in California in May, cast new doubts on chip-and-PIN or EMV cards. The cards contain a microchip that verifies a correct PIN in order to complete a transaction.

European banks hail the system as more secure, as U.S. cards do not have the microchip, which has so far prevented some types of card cloning.

But the Cambridge researchers have found a weakness in the complicated EMV protocol that allows for a man-in-the-middle attack. It essentially tricks the point-of-sale terminal into believing it has received a correct PIN no matter what digits are entered.

The card thinks that the transaction was authorized by a signature. In some instances, point-of-sale terminals may have trouble connecting back to a card’s issuing bank but allow a transaction anyway if completed by a signature.

The attack requires high-level knowledge of the chip-and-PIN system and some external hardware as the researchers demonstrated on the BBC’s Newsnight program on Thursday.

Nonetheless, “this flaw is really a popper,” said Ross Anderson, professor of security engineering, on Newsnight.

via Researchers find huge weakness in European payment cards | Privacy Digest.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: