Black Hat 2014: A New Smartcard Hack
I think that eventually we will get to chip, pin, and picture, or chip, pin, and print, but it’s going to take a few more massive systems break ins before the Payment Card Industry (PCI) recognizes the need to invest in those systems and infrastructure.
“Picture” could also be a camera system doing facial recognition, and print could also be taken while entering the pin to make things easier on the consumer.
According to new research, chip-based “Smartcard” credit and debit cards—the next-generation replacement for magnetic stripe cards—are vulnerable to unanticipated hacks and financial fraud. Stricter security measures are needed, the researchers say, as well as increased awareness of changing terms-of-service that could make consumers bear more of the financial brunt for their hacked cards.
The work is being presented at this week’s Black Hat 2014 digital security conference in Las Vegas. Ross Anderson, professor of security engineering at Cambridge University, and co-authors have been studying the so-called Europay-Mastercard-Visa (EMV) security protocols behind emerging Smartcard systems.
Though the chip-based EMV technology is only now being rolled out in North America, India, and elsewhere, it has been in use since 2003 in the UK and in more recent years across continental Europe as well. The history of EMV hacks and financial fraud in Europe, Anderson says, paints not nearly as rosy a picture of the technology as its promoters may claim.