Chip-and-PIN definitely broken, say Italian researchers

Share this article:

A team of Italian researchers has presented a crack for the chip-and-PIN card verification system that they say makes it possible to skim a PIN number that can later be used with a stolen card. The team, from security research company Inverse Path, built a prototype skimmer that can be inserted invisibly into an electronic point-of-sale terminal and intercept the interface between the terminal and a card's chip.

The researchers, presenting at the CanSecWest conference in Vancouver, discovered a disconnect between the process that a terminal uses to verify a card, and the process that the bank uses to verify the transaction with the terminal. The weakness lies in a file contained on the card, called the Cardholder Verification Method (CVM) list. This list, presented by the card to the terminal, tells the terminal which methods should be used to verify the card (such as a paper signature or a PIN).

The team discovered that a terminal will honour a tampered CVM, enabling the CVM to be altered. It then becomes possible to force a plain text verification of the PIN, enabling the skimmer to harvest the number.

"If you steal a card that has been previously skimmed, you can enable full use of the card completely undetected by the backend," said Andrea Barisani, chief security engineer at the consulting firm. "EMV should probably be replaced by something that has full cryptography from the beginning to the end. This can be done by the smartcard, and we don't know why it wasn't done before."

Although skimmers have been used in ATMs for years, the devices have focused on skimming magnetic stripe data. Institutions have protected chip-an-PIN cardholders from magnetic stripe cloning by using a three-digit code, called the iCVV, on a chip. That code is separate from the existing CVV used on a magstripe.

In truth, said Barisani, it would be financially unrealistic for the entire banking system to rollback the system, which has already been universally deployed in Europe, and which is in the advanced state of rollout in Canada. The United States is the only major Western market yet to adopt the EMV standard across retail networks.

Share this article:
You must be a registered member of SC Magazine to post a comment.

THE LATEST ISSUE

Features

Archive of SC Magazine Canada

SC Magazine Canada

THE LATEST ISSUE

Features

Archive of SC Magazine Canada

SC Magazine Canada

More in SC Canada

Childrens' Hospital apologizes for rogue employee breach

Alberta Health Services is apologizing following a data breach at Alberta Children's Hospital.

Canadian launches $500m class action against Home Depot

A Canadian is leading a $500 million class-action lawsuit against Home Depot following its data breach in which up to 56 million US and Canadian credit cards were stolen.

Faulty UBC software exposed student financial information

Students at the University of British Columbia have been warned that their personal information may have been exposed thanks to a software bug.