Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Italian researchers presented a crack for the chip-and-PIN card verification system that makes it possible to skim a PIN to be used with a stolen card.
Security researchers at Inverse Path built a prototype skimmer to be inserted invisibly into an electronic point-of-sale terminal to intercept the interface between the terminal and a card's chip.
The researchers, presenting at the CanSecWest conference in Vancouver, discovered a disconnect between the process that a terminal uses to verify a card, and the process that the bank uses to verify the transaction with the terminal. The weakness lies in a file contained on the card, called the Cardholder Verification Method (CVM) list. This list, presented by the card to the terminal, tells the terminal which methods should be used to verify the card (such as a paper signature or a PIN).
The team discovered that a terminal will honour a tampered CVM, enabling the CVM to be altered. It then becomes possible to force a plain text verification of the PIN, enabling the skimmer to harvest the number.
"If you steal a card that has been previously skimmed, you can enable full use of the card completely undetected by the backend," said Andrea Barisani, chief security engineer at the consulting firm. "EMV should probably be replaced by something that has full cryptography from the beginning to the end. This can be done by the smartcard, and we don't know why it wasn't done before."
Although skimmers have been used in ATMs for years, the devices have focused on skimming magnetic stripe data. Institutions have protected chip-an-PIN cardholders from magnetic stripe cloning by using a three-digit code, called the iCVV, on a chip. That code is separate from the existing CVV used on a magstripe.
In truth, said Barisani, it would be financially unrealistic for the entire banking system to rollback the system, which has already been universally deployed in Europe, and which is in the advanced state of rollout in Canada. The United States is the only major Western market yet to adopt the EMV standard across retail networks.
This article originally appeared at scmagazineus.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.