Chip and Pin may not be a good enough solution against payment card frauds

  • Team Omega
  • July 22, 2014

It’s coming.  That’s the buzz all around.  When?  Before October 2015 because starting in October 2015, both Visa and Mastercard plan to shift liability from merchants for fraudulent point-of-sale transactions if the retailers have not deployed the latest readers.  However, nobody knows if it will indeed be successful first of all, on its deployment across the U.S. and secondly, in preventing breaches.

The primary reason being the cost of this technology.  According to the National Retail Federation, rolling out the infrastructure will require more than $10 billion in investments and at least five years.  Secondly, reports from U.K. say that chip and pin technology although better than magnetic stripe card security are not free of vulnerabilities. 

Here is one report that says, “In May 2014, researchers from the University of Cambridge, who have found numerous security issues in the EMV protocol, presented their latest findings: A major implementation flaw that could allow attackers to create additional transactions that could be sent at a later time and a protocol flaw that allows a man-in-the middle attack to capture the unique number — or so-called “unpredictable number” or UNs — used to verify a transaction, allowing additional transactions to be created and used at a later time”.

Also, the researchers showed another vulnerability called  “pre-play” attacks, i.e. use of a compromised terminal or a man-in-the-middle attack to create several transactions — instead of just one — at the time the card is inserted.  The technique explained here may not be that easy, yet it is doable.

So, the basic question here is if the chip and pin technology fundamentally flawed or if it the right step in the right direction?  We will have to wait and see.