MasterCard Worldwide says chip-and-PIN card issuers have countermeasures available to help prevent an attack that could authenticate a card with a false PIN. MasterCard would not say what the countermeasures include.
In a research paper released last week, Cambridge University researchers say they were able to dupe the protocol governing PIN verification for EMV cards by tricking a terminal into believing PIN verification succeeded by responding with a success code without actually sending the PIN to the card (
Reports from consumers that their chip-and-PIN cards were used to make fraudulent purchases were the impetus behind the study, says Ross Anderson, one of the researchers. Anderson tells PaymentsSource he and his colleagues had received consumer complaints that their chip cards had been stolen and used to make purchases. Because the transaction records showed a PIN was used, issuers have denied the cardholders refunds for the suspect transactions, he says.
But the cardholders may have been victims of this “man-in-the-middle” attack, Anderson says. “We investigated and found it was easy to build a device that sits between the card and the merchant terminal,” he says. “It tells the merchant terminal that the PIN was verified correctly, even though it wasn’t.”
A Visa spokesperson referred inquiries to EMVCo. LLC, the international payment smart card organization. It says the EMV specification is but one “piece of the overall payment transaction as managed by the payment systems.”
The individual card brands also have smart card specifications with which issuers must comply.
One observer says the type of attack reported is not unknown. Dave Birch, a director at United Kingdom-based Consult Hyperion, says in his online blog at Digital Money Forum issuers can configure their cards to show which method a cardholder used to verify his identity. They then can compare that with another piece of code from the transaction to see if the two results match.
The EMV standard includes this comparison provision, but double-checking the two pieces of information against each other is not mandatory, Birch says.
