Chris Skinner's blog

Shaping the future of finance

Chip & PIN is broken (UPDATE)

Chris Skinner Author Avatar
by

As many readers know, I've disliked Chip & PIN pretty much since it was launched, as there are better solutions out there.  Here's my comment from 2006:

Chris Skinner, CEO of financial services think tank Balatro told
silicon.com: "I'm an anti-chip and PIN person. Sorry Apacs - I like
them very much but it's not an appropriate technology today. Chip and
Pin is very old in a very modern society - it started in France in
1994.

"In Eastern Europe [Hungary and Russia] they have a much better
system than chip and PIN - when you make a payment you get a text. You
can ignore it or if there's a problem, you get in touch with your bank.
It's very cheap but there's been a 93 per cent reduction in fraud -
that's far more successful than chip and PIN."

Now, just to add insult to injury, Steven Murdoch discusses how they've cracked
Chip & PIN on Finextra, and references a 13-page research paper which explains
how it works:

'EMV is the dominant protocol used for smart card payments
worldwide, with over 730 million cards in circulation.  Known to bank
customers as “Chip and PIN”, it is used in Europe; it is being
introduced in Canada; and there is pressure from banks to introduce it
in the USA too. EMV secures credit and debit card transactions by
authenticating both the card and the customer presenting it through a
combination of cryptographic authentication codes, digital signatures,
and the entry of a PIN.

'In this paper we describe and demonstrate a protocol flaw which
allows criminals to use a genuine card to make a payment without
knowing the card’s PIN, and to remain undetected even when the merchant
has an online connection to the banking network. The fraudster performs
a man-in-the-middle attack to trick the terminal into believing the PIN
verified correctly, while telling the issuing bank that no PIN was
entered at all.

'The paper considers how the flaws arose, why they remained unknown despite EMV’s wide
deployment for the best part of a decade, and how they might be fixed.
Because we have found and validated a practical attack against the core
functionality of EMV, we conclude that the protocol is broken.

'This
failure is significant in the field of protocol design, and also has
important public policy
implications, in light of growing reports of fraud on stolen EMV cards.
Frequently, banks deny such fraud victims a refund, asserting that a
card cannot be used without the correct PIN, and concluding that the
customer must be grossly negligent or lying. Our attack can explain a
number of these cases, and exposes the need for further research to
bridge the gap between the theoretical and practical security of bank
payment systems.'

Download the 13-page white paper

Watch the BBC news report video

Read Steven's views in-depth

 

UPDATE 13-02-10 11:10

The UK Cards Association dismissed the claim, saying that while the
research had shown what it was possible to do in theory, this did not
mean it was practical or even possible to do in reality.

A spokeswoman said: "We believe that this complicated method will never present a real threat to our customers' cards.

"It
requires possession of a customer's card and unfortunately there are
much simpler ways to commit fraud under these circumstances at much
less risk to the criminal. This fraud is also detectable by the
industry's systems."

She added that figures due to be released by
the group shortly would show that fraud committed on lost or stolen
cards during 2009 had fallen to its lowest level for two decades.

Chris Skinner Author Avatar

Chris M Skinner

Chris Skinner is best known as an independent commentator on the financial markets through his blog, TheFinanser.com, as author of the bestselling book Digital Bank, and Chair of the European networking forum the Financial Services Club. He has been voted one of the most influential people in banking by The Financial Brand (as well as one of the best blogs), a FinTech Titan (Next Bank), one of the Fintech Leaders you need to follow (City AM, Deluxe and Jax Finance), as well as one of the Top 40 most influential people in financial technology by the Wall Street Journal's Financial News. To learn more click here...

Intelligent Money: Our Future Is Where We Do Not Think About Money, As Our Money Thinks For Us

What is the future?

Learn more

Learn more about Chris

About Chris Skinner

The Past, Present And Future Of Banking, Finance And Technology

Fintech expert Chris Skinner: countries need digital transformation to remain competitive

Join me on Linkedin

Follow Me on X!

Hire Chris Skinner for dinners, workshops and more

Learn directly from from one of the most influential people in technology, gain insights from the world's most innovative companies, and build a global network.

Chris’s latest book

Order now

Chris Skinner’s ‘Intelligent Money’ Book Launch Event

Top 50 Global Thought Leaders and Influencers on Finance 2024

Global Awards

Lifetime Achievement Award

Global 100 - 2024 Winner

Chris Skinner - Financial Markets Advisor of the Year - The Finanser - UK 2023

Best Financial Markets Advisor of the Year 2023

30 Best Regtech Blogs and Websites 2023

Kids creating the future bank | TEDxAthens

Captain Cake and the Candy Crew

Captain Cake Winner of a Golden Mom’s Choice Award

TWO-TIME WINNER OF A MOM’S CHOICE GOLD AWARD!

Alex at the Financial Services

Gaping Void's Hugh MacLeod worked with the Finanser