Protocol flaw could allow criminals to use a genuine chip-and-PIN card to make a payment without knowing the card's PIN

protocol flaw has been discovered that could allow criminals to use a genuine chip-and-PIN card to make a payment without knowing the card’s PIN. The vulnerability allows fraudsters to remain undetected even when the merchant bank has an online connection to the banking network.

Eli Jellenç, head of international cyber intelligence at iDefense, comments, “A group of researchers from Cambridge University’s Computer Laboratory found a simple method of compromising the EMV protocol (better known as the chip-and-PIN system) to process debit transactions without the correct cardholder’s PIN. The man-in-the-middle attack allows fraudsters to insert a device between the stolen card and the terminal, which tricks the terminal into believing it correctly verified the PIN. In fact, the fraudster can enter any PIN, and the software will tell the terminal that the system has verified the PIN and accepted the transaction with a “Verified by PIN” signature.”

Normally, consumers insert their payment card and enter their PIN number, with the terminal then continuing the transaction if accepts a signal indicating that the PIN has been entered correctly. The Cambridge researcher’s attack scenario uses an electronic device as a man-in-the-middle to trick the machine into believing that the PIN is correct automatically, bypassing the message confirming the PIN from the card itself.

The PoS terminal will produce a receipt that states, “Verified by PIN”, and bank records will show that the terminal received a correct PIN. Victims of this attack may have a difficult time receiving a refund by their bank once the payment system authenticates the transaction with no trace of a fraudulent device.

Eli Jellenç continues, “If criminals were able to exploit this type of scam, banks would find themselves dealing with a wealth of complaints from angry customers. It could be hard to discover the extent of the problem, as their machines would display only a number of seemingly approved chin and PIN transactions. Financial institutions could proffer the opinion that if their customers’ cards were compromised they must have been careless with their PINs, potentially leading to a game of tug-and-war between bank and consumer.”

This demonstrates yet another sophisticated method of scamming consumers, which would be easy for fraudsters to exploit.

Related Articles

No related articles were found.

Attachments

No attachments were found.

Visitor Comments

No visitor comments posted. Post a comment