A team of Italian researchers has presented a crack for the chip-and-PIN card verification system that they say makes it possible to skim a PIN number that can later be used with a stolen card. The team, from security research company Inverse Path, built a prototype skimmer that can be inserted invisibly into an electronic point-of-sale terminal and intercept the interface between the terminal and a card's chip.
The researchers, presenting at the CanSecWest conference in Vancouver, discovered a disconnect between the process that a terminal uses to verify a card, and the process that the bank uses to verify the transaction with the terminal. The weakness lies in a file contained on the card, called the Cardholder Verification Method (CVM) list. This list, presented by the card to the terminal, tells the terminal which methods should be used to verify the card (such as a paper signature or a PIN).
The team discovered that a terminal will honour a tampered CVM, enabling the CVM to be altered. It then becomes possible to force a plain text verification of the PIN, enabling the skimmer to harvest the number.
"If you steal a card that has been previously skimmed, you can enable full use of the card completely undetected by the backend," said Andrea Barisani, chief security engineer at the consulting firm. "EMV should probably be replaced by something that has full cryptography from the beginning to the end. This can be done by the smartcard, and we don't know why it wasn't done before."
Although skimmers have been used in ATMs for years, the devices have focused on skimming magnetic stripe data. Institutions have protected chip-an-PIN cardholders from magnetic stripe cloning by using a three-digit code, called the iCVV, on a chip. That code is separate from the existing CVV used on a magstripe.
In truth, said Barisani, it would be financially unrealistic for the entire banking system to rollback the system, which has already been universally deployed in Europe, and which is in the advanced state of rollout in Canada. The United States is the only major Western market yet to adopt the EMV standard across retail networks.