Opportunities to harvest PINs and clone magnetic stripes
In addition to the track-two data on the magnetic stripe, EMV cards generally have identical data encoded on the chip, which is read as part of the normal EMV transaction process. If an EMV reader is compromised to the extent that the conversation between the card and the terminal is intercepted, then the attacker may be able to recover both the track-two data and the PIN, allowing construction of a magnetic stripe card, which, while not usable in a chip and PIN terminal, can be used, for example, in terminal devices that permit fall-back to mag-stripe processing for foreign customers without chip cards, and defective cards. This attack is possible only where (a) the off-line PIN is presented in plain text by the PIN entry device to the card, where (b) mag-stripe fall-back is permitted by the card issuer and (c) where geographic and behavioral checking may not be carried out by the card issuer. It was claimed that changes specified to the protocol (specifying different card verification values between the Chip, Magnetic Stripe and the CVV) rendered this attack ineffective. APACS (the UK payments association) stated that such measures would be in place from January 2008, although tests on cards in February 2008 indicated this may have been delayed.
Conversation capturing is the form of attack that was reported to have taken place against Shell terminals in May 2006, when they were forced to disable all EMV authentication in their petrol stations after more than £1 million BPS was stolen from customers.
In October 2008 it was reported that hundreds of EMV card readers for use in Britain, Ireland, the Netherlands, Denmark, and Belgium had been expertly tampered with in China during or shortly after manufacture so that details and PINs of credit and debit cards were sent during the 9 months before over mobile phone networks to criminals in Lahore, Pakistan. US National Counterintelligence Executive Joel Brenner said, "Previously only a nation state's intelligence service would have been capable of pulling off this type of operation. It's scary." Data were typically used a couple of months after the card transactions to make it harder for investigators to pin down the vulnerability. After the fraud was discovered it was found that tampered-with terminals could be identified as the additional circuitry increased their weight by about 100gms. Tens of millions of pounds sterling are believed to have been stolen. This vulnerability spurred efforts to implement better control of electronic POS devices over their entire life cycle, a practice endorsed by electronic payment security standards like those being developed by the Secure POS Vendor Alliance (SPVA).
Demonstration of PIN harvesting and stripe cloning
Cambridge University researchers Steven Murdoch and Saar Drimer demonstrated in a February 2008 BBC Newsnight program one example attack, to illustrate that Chip and PIN is not secure enough to justify passing the liability to prove fraud from the banks onto customers. The Cambridge University exploit allowed the experimenters to obtain both card data to create a magnetic stripe and the PIN.
APACS, the UK payments association, disagreed with the majority of the report, saying: "The types of attack on PIN entry devices detailed in this report are difficult to undertake and not currently economically viable for a fraudster to carry out." They also said that changes to the protocol (specifying different card verification values between the Chip and Magnetic Stripe €“ the iCVV) would make this attack ineffective from January 2008. The fraud reported in October 2008 to have operated for 9 months (see above) was probably in operation at the time, but was not discovered for many months.
2010: Hidden hardware disables PIN checking on stolen card
On 11 February 2010 Murdoch and Drimer's team at Cambridge University announced that they had found "a flaw in chip and PIN so serious they think it shows that the whole system needs a re-write" that was "so simple that it shocked them". A stolen card is connected to an electronic circuit and to a fake card that is inserted into the terminal ("man-in-the-middle attack"). Any 4 digits are typed in and accepted as a valid PIN. A team from the BBC's Newsnight program visited a Cambridge University cafeteria (with permission) with the system, and were able to pay using their own cards (a thief would use stolen cards) connected to the circuit, inserting a fake card and typing in "0000" as the PIN. The transactions were registered as normal, and were not picked up by banks' security systems. A member of the research team said, "Even small-scale criminal systems have better equipment than we have. The amount of technical sophistication needed to carry out this attack is really quite low." The announcement of the vulnerability said, "The expertise that is required is not high (undergraduate level electronics) ... We dispute the assertion by the banking industry that criminals are not sophisticated enough, because they have already demonstrated a far higher level of skill than is necessary for this attack in their miniaturized PIN entry device skimmers." It is not known if this vulnerability has been exploited.
EMVCo disagreed and published a response saying that, while such an attack might be theoretically possible, it would be extremely difficult and expensive to carry out successfully, that current compensating controls are likely to detect or limit the fraud, and that the possible financial gain from the attack is minimal while the risk of a declined transaction or exposure of the fraudster is significant.
When approached for comment, several banks each said that this was an industry-wide issue, and referred the Newsnight team to the banking trade association for further comment. According to Phil Jones of the Consumers' Association, chip and PIN has helped to bring down instances of card crime, but many cases remain unexplained "What we do know is that we do have cases that are brought forward from individuals which seem quite persuasive."
Because the submission of the PIN is suppressed, this is the exact equivalent of a merchant performing a PIN bypass transaction, such transactions will never succeed off-line as a card will never generate an off-line authorization without a successful PIN entry. As a result of this, the transaction ARQC must be submitted on-line to the issuer who will know that the ARQC was generated without a successful PIN submission (since this information is included in the encrypted ARQC) and hence would be very likely to decline the transaction if it were for a high value, out of character or otherwise outside of the typical risk management parameters set by the issuer.
Originally bank customers had to prove that they had not been negligent with their PIN before getting redress, but UK regulations in force from 1 November 2009 placed the onus firmly on the banks to prove that a customer has been negligent in any dispute, with the customer given 13 months to make a claim. Murdoch said that "[the banks] should look back at previous transactions where the customer said their PIN had not been used and the bank record showed it has, and consider refunding these customers because it could be they are victim of this type of fraud."
2011: CVM downgrade allows arbitrary PIN harvest
At the CanSecWest conference in March 2011, Andrea Barisani and Daniele Bianco presented research uncovering a vulnerability in EMV that would allow arbitrary PIN harvesting despite the Cardholder verification configuration of the card, even when the supported CVMs data is signed. The PIN harvesting can be performed with a chip skimmer. In essence, a CVM list that has been modified to downgrade the CVM to Offline PIN is still honored by POS terminals despite its signature being invalid.