Chip and PIN is Broken

@article{Murdoch2010ChipAP,
  title={Chip and PIN is Broken},
  author={Steven J. Murdoch and Saar Drimer and Ross J. Anderson and Mike Bond},
  journal={2010 IEEE Symposium on Security and Privacy},
  year={2010},
  pages={433-446}
}
EMV is the dominant protocol used for smart card payments worldwide, with over 730 million cards in circulation. Known to bank customers as “Chip and PIN”, it is used in Europe; it is being introduced in Canada; and there is pressure from banks to introduce it in the USA too. EMV secures credit and debit card transactions by authenticating both the card and the customer presenting it through a combination of cryptographic authentication codes, digital signatures, and the entry of a PIN. In this… Expand
Chip and Skim: Cloning EMV Cards with the Pre-play Attack
TLDR
How the vulnerability was detected, a survey methodology developed to chart the scope of the weakness, evidence from ATM and terminal experiments in the field, and the implementation of proof-of-concept attacks are described, which discuss countermeasures. Expand
Be prepared: The EMV pre-play attack
TLDR
This work discovered two protocol flaws in EMV: first, the lack of a terminal ID to identify involved parties, and second that the nonce is not generated by the relying party, which makes EMV vulnerable to the pre-play attack. Expand
Examining Users’ Understanding of Security Failures in EMV Smart Card Payment Systems
TLDR
The issues, failures and fraudulent cases associated with EMV Chip-And-Card technology are discussed, and people’s understanding of these issues and the consequential precautions they take to safeguard their information while using the EMV cards for transactions are evaluated. Expand
Security Analysis of EMV Protocol and Approaches for Strengthening It
TLDR
Although EMV cards are widely adopted around the world, it is still amenable to attacks as the analysis reveals. Expand
Security Failures in EMV Smart Card Payment Systems
  • Z. Ahmad, A. Zeki, Akeem Olowolayemo
  • Computer Science
  • 2016 6th International Conference on Information and Communication Technology for The Muslim World (ICT4M)
  • 2016
TLDR
The issues, failures and fraudulent cases associated with EMV Chip-And-Card technology are discussed. Expand
Cloning Credit Cards: A Combined Pre-play and Downgrade Attack on EMV Contactless
TLDR
This paper introduces an attack scenario on EMV contactless payment cards that permits an attacker to create functional clones of a card that contain the necessary credit card data as well as pre-played authorization codes. Expand
Might Financial Cryptography Kill Financial Innovation? - The Curious Case of EMV
TLDR
It is predicted that EMV will be adapted to use cards as keys; it is found that the DDA signature can be used by third parties and expect this to be used when customers use a card to retrieve already-purchased goods such as air tickets. Expand
Card Brand Mixup Attack: Bypassing the PIN in non-Visa Cards by Using Them for Visa Transactions
TLDR
This paper shows that it is possible to induce a mismatch between the card brand and the payment network, from the terminal’s perspective, and extends the formal model of the EMV contactless protocol to machine-check fixes to the issues found. Expand
The Dangers of Verify PIN on Contactless Cards
Contactless / Near Field Communication (NFC) card payments are being introduced around the world, allowing customers to use a card to pay for small purchases by simply placing the card onto the PointExpand
Designed to Fail: A USB-Connected Reader for Online Banking
We present a security analysis of an internet banking system used by one of the bigger banks in the Netherlands, in which customers use a USB-connected device --- a smartcard reader with a displayExpand
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 33 REFERENCES
Thinking Inside the Box: System-Level Failures of Tamper Proofing
TLDR
It is demonstrated that the tamper proofing of PEDs is unsatisfactory, as is the certification process, and changes to the Common Criteria framework are recommended in light of the lessons learned. Expand
Chip and spin
The views of the authors regarding the liability issues, technical shortcomings and management failures of 'Chip and PIN' card payments are discussed. The UK banks do have a voluntary code ofExpand
Keep Your Enemies Close: Distance Bounding Against Smartcard Relay Attacks
TLDR
A new defence based on a distance bounding protocol is described and implemented, which requires only modest alterations to current hardware and software and could provide cost-effective resistance to relay attacks, which are a genuine threat to deployed applications. Expand
Risks and Potentials of Using EMV for Internet Payments
TLDR
This paper analyzes EMV'96, a representative example of an existing payment smartcard specification, and investigates which security requirements for an Internet payment system can and cannot be met when using EMV for Internet payments. Expand
Fail-Stop Protocols: An Approach to Designing Secure Protocols (Preprint)
TLDR
A novel notion of a fail-stop protocol is proposed, which automatically halts in response to any active attack that interferes with protocol execution, thus reducing protocol security analysis to that of passive attacks only. Expand
VISA International:混序组织的机理与特征研究
VIS AInternational创造了一种把组织学习、知识管理与复杂性理论融为一体的智慧型组织,是一个具有自组织功能的组织新范式,在“混沌”和“有序”之间达到了一种平衡,产生了竞争与合作相互协调的机制,使组织呈现出既有适应力又有创新力的特点;VIS AInternational体现了信息化、知识化组织的核心本质,非常值得中国企业借鉴。
Available: http://www.xilinx.com/products/devkits/ HW-SPAR3E-SK-US-G.htm [12
  • BLADOX Turbo SIM
  • 2010
Chip and PIN is broken
  • Light Blue Touchpaper, February 2010. [Online]. Available: http://www. lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/ 444
  • 2010
EMV PIN verification “wedge” vulnerability
  • February 2010. [Online]. Available: http://www.cl.cam.ac.uk/research/ security/banking/nopin/
  • 2010
2008 fraud figures announced by APACS
  • March 2009. [Online]. Available: http://www.ukpayments.org.uk/ media centre/press releases/-/page/685/
  • 2009
...
1
2
3
4
...