How EMV Can Fail

May 21, 2014 • Published Categories Industry TopicsTags , , , ,

If you’ve been following the media reports surrounding Target’s massive data breach, then you’ve no doubt heard the acronym “EMV.” The credit card chip technology is on an imminent path for widespread implementation in the U.S. marketplace, but many have speculated that EMV by itself is not the security “silver bullet” that it was originally thought to be.

Yes, countries with widespread EMV adoption have enjoyed reduced fraud in the face-to-face (card-present) sales environment, but they have also experienced an equal and opposite increase in ecommerce fraud. And now a research team at the University of Cambridge, UK, has published a paper discussing how they found significant design and implementation mistakes within bank-issued EMV cards.

Here is an excerpt from the University of Cambridge blog:

When a Chip and PIN transaction is performed, the terminal requests that the card produces an authentication code for the transaction. Part of this transaction is a number that is supposed to be random, so as to stop an authentication code being generated in advance. However, there are two ways in which the protection can by bypassed: the first requires that the Chip and PIN terminal has a poorly designed random generation (which we have observed in the wild); the second requires that the Chip and PIN terminal or its communications back to the bank can be tampered with (which again, we have observed in the wild).

“Observed in the wild” means that the flaws the researchers discovered were not laboratory created, they were actually present in standard-issued EMV credit cards! What’s more, the research paper’s abstract notes that “more than a year after our initial responsible disclosure of these flaws to the banks, action has only been taken to mitigate the first of them, while we have seen a likely case of the second in the wild, and the spread of ATM and POS malware is making it ever more of a threat.”

The primary point is this: Without additional technology safeguards, EMV credit card chips will become as irrelevant to securing card-present payment transactions as they are in the online environment. A layered security approach is the best approach for slowing cybercriminals.

Want to learn more about EMV or small business data security in general?  Click here or give us a call at 1-800-825-3301 x 2. We’d be happy to help.

Leave a Comment