Researchers at the University of Cambridge in the UK released a report claiming to have identified vulnerabilities with the EMV payment scheme. Industry organizations are meanwhile defending the technology, saying the hack would be difficult to pull off in the real world.
The attack uses a fake chip card connected with wires to custom electronics, a computer with specially designed software, and a stolen EMV chip & PIN card. The fake card and equipment sit between the stolen card and the point-of-sale terminal; the attack fools the terminal into thinking that the correct PIN had been presented and makes the stolen card believe that no PIN was required.
The Smart Card Alliance has reviewed the hack along with other industry organizations and concluded that widespread implementation of this attack is unlikely and that there is no evidence that the attack described has happened in the real world.
These conclusions are supported by the following points:
- The attack requires the use of a stolen EMV card that has not yet been reported as stolen; this limits the scalability of this type of fraud since it must be done with one card at a time and in a potentially short window of time.
- The combination fake card and stolen chip & PIN card cannot be used in an ATM for a cash withdrawal, as ATMs rely on an online PIN verification.
- The fraud requires using a fake chip card with wires coming out of it, running up the sleeve of the fraudster and connecting to a hidden circuit board, computer and stolen EMV card, making detection likely at an attended merchant point-of-sale.
- The attack is technically difficult, requiring highly sophisticated software and customized hardware that could only be created by individuals with extensive knowledge of EMV protocols.
- Countermeasures are already available, either in EMV, within payment system products and networks, or within issuer host systems.
- Electronic audits of data from suspected transactions would protect cardholders and merchants from responsibility for fraudulent charges made to their card with this type of attack, if reported properly.
Additionally, such an attack would not compromise the smart card as the PIN would still remain secure inside the card.