Chip-And-PIN Hack Is So Scary Because It Surprised No One

Written by Evan Schuman
February 18th, 2010

A February 2010 Cambridge University report that points out critical security flaws in chip-and-PIN (EMV) protocols—a security method that’s ever-present in the U.K., being massively deployed in Canada and being pushed for use in the U.S.—is most surprising in how remarkably unsurprising it is.

As reactions to the report’s man-in-the-middle attack methodology piled on, it was eerie how perfunctory the denials were, even among the most aggressive EMV advocates. My personal favorite is a statement that banking giant HSBC Group issued in the U.K. to the BBC: “Although they have raised a clear security concern with regards to chip-and-PIN, which we are taking very seriously, the problem highlighted is relevant to all card issuers and not just HSBC.” The bank didn’t even bother denying that the university’s hack worked.

For years, security aficionados have pushed chip-and-PIN while conceding that it’s not really secure but probably still better than what’s being done in the U.S. (formally called the “Hope And Pray They Don’t Take My Lunch Money Today” protocol). But the subtext implying that it’s not really all that secure is almost always present.

(For more on this topic, check out Walter Conway’s latest StorefrontBacktalk column, “Chip-And-PIN Is Not A Free Pass On PCI.”)

We’ll get into the details of the Cambridge report in a moment. In the meantime, it’s important to point out that the biggest criticism of this report is that the equipment needed to hack chip-and-PIN is too bulky for the attacks to actually happen without cashiers noticing. That argument was effectively obliterated with a wonderful piece of video journalism done by the BBC. It filmed one of the Cambridge researchers actually using this attack—successfully—at a wide range of retail locations leveraging borrowed cards of BBC staffers. Seeing the attack in action makes two things clear: It’s not theoretical, and it’s even practical. The movements of the pretend cyberthief were natural and not at all suspicious.

Retail IT execs specializing in security were especially concerned about the relative ease of the university hack execution. Braden Black, a senior enterprise architect (and security specialist) for 305-store shoe chain DSW, said that, in his opinion, the biggest problem with chip-and-PIN—as it’s currently deployed—is that banks have little incentive to make these systems secure because they no longer have any liability if they’re repeatedly breached. That liability has been pushed to the retailers.

“The ramifications of this attack are most disturbing when viewed in light of the fraud liability regulations that were adopted alongside the technology. Essentially, the banks offloaded fraud liability to merchants and cardholders. In this case, specifically, the attack vector exploited a flaw in the EMV PIN verification protocol causing a transaction to appear to the bank to be PIN-verified while the chip believes that signature-based verification is taking place. One no longer needs any knowledge of the PIN to authorize a transaction,” Black said. “This places the onus of liability upon the cardholder, who is assumed to be liable for the fraudulent transaction unless they can demonstrate that they were not present for the transaction and did not disclose their PIN code.”


7 Comments | Read Chip-And-PIN Hack Is So Scary Because It Surprised No One

  1. bill bittner Says:

    This hack demonstrates a much larger vulnerability that goes way beyond payment authorization. As software design has moved to “object oriented” designs that encapsulate data and processes along with the whole concept of “stateless objects” the “man in the middle” or wedge attack becomes much easier. This could really happen in any situation. Just as we are hearing more about cyber attacks from overseas, we are using software design techniques that make our systems more vulnerable. Better get a kerosene lamp.

  2. R Dallaire Says:

    I worked on EMV project in Canada. EMV is better than plain MSR card. No doubt. This is not marketing “gimmick”.

    The Cambridge/BBC video shows a guy using a Netbook PC and an EMV “test card” hooked on a stolen EMV card. Sure, you may hide all the cables

  3. R Dallaire Says:

    Sure, you may hide all the cables but the setup will be obvious if you are wearing a T-Shirt. ;)

    EMV has to fix this. I don’t know if the same issue has been raised in Canada.

  4. A reader Says:

    Mr. Bittner,

    How do you equate the failure of a developed-in-secret, 14-year-old cryptographic protocol with the adoption of object oriented programming, the recognition of design patterns, or the maturity of software engineering as a discipline? You are comparing oranges to a philosopher’s left elbow — the argument doesn’t even parse.

    There were no software failures here, no code crashes being exploited nor buffer overrun attacks smashing stacks. This was a failure in the design and creation of a *protocol* that fell prey to being spoofed. No objects failed, because no objects were transmitted. This is 100% protocol design failure; and it can be blamed on the secretive nature of the original design process and the immature cryptographic skills of the original protocol designers. (Here’s a hint for all you budding cryptographers: the best cryptographers know they aren’t good enough by themselves. They always seek outside validation of their designs. Always.)

    The chips inside the smart cards don’t even have the memory or the horsepower to support object oriented programming techniques. There aren’t dynamic memory allocations. These are tiny 8-bit chips with about 1K of RAM, and the applications hand coded in assembler (or possibly C.)

    I’m sorry if you are uncomfortable with modern design techniques, object oriented languages, test-driven development, design patterns, or if you think programming should still be functional now because it was functional back when you first learned it. If you are interested in that kind of bare-metal programming, might I suggest embedded systems design? It’s all about writing code for these tiny standalone processors, where every byte still matters and every cycle still counts. You even get style points for writing in assembler. :-)

  5. David Dorf Says:

    Long ago I used to write code for smart card terminals, including those that accepted EMV cards. Even with the imperfections, the chip-based systems are much more secure than mag-stripe. The fact that this particular hole went undiscovered for at least six years is actually pretty impressive. Although I don’t know the specifics, I’m willing to bet this particular issue can be resolved in the terminal code without having to reissue all the cards.

    This is a great example of the importance of ethical hacking. Hats off to the Cambridge team.

  6. Steve Sommers Says:

    Was it undiscovered? And are we sure there are variations already in the wild? There have been many customer complaints of fraudulent activity with EMV and most were simply swept under the carpet and attributed to a failure of the cardholder without much investigation. Recently the EU shifted some of the burden of proof back to the banks and this was done prior to this Cambridge report. If the system is so secure, why the shift?

  7. Howard Says:

    This hack has been available for over 8 years now. I doubt this should be a surprise to anyone.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.