Tuesday, February 16, 2010

Why we shouldn't write off chip-and-PIN just yet

There has been some pretty wild speculation in the last few days that the death of chip-and-PIN is inevitable, based on the creation of a man-in-the-middle attack developed by computer researchers at Cambridge University.

According to the Cambridge researchers, there are over 730 million payment smart cards in circulation worldwide using the EMV (Europay, MasterCard & Visa) protocol (2008 figures). Known to bank customers as “Chip and PIN”, it is widely used in Europe, is being introduced in Canada, and there is pressure from banks to introduce it in the USA.

Since its introduction in the UK the fraud landscape has changed significantly: lost and stolen card fraud is down, and counterfeit card fraud experienced a two year lull. Inconvenient, then, that they now claim the protocol is broken.

Apparently, the Cambridge researchers succeeded in building a man-in-the-middle device that reads a valid card and, at the appropriate point in the card verification process, sends the correct "PIN verified" code to the terminal, whether or not a valid PIN code was entered. Of course, the man-in-the-middle device needs a way to communicate with the card reader, and this is achieved by inserting a fake card into the reader which is connected to the MITM device by a bunch of wires.

So, it is is an interesting theoretical attack, to be sure. However, you would need a valid stolen card to start with (OK, not impossible) plus a backpack full of electronic gear and a fake card dangling from some wires. Obvious enough to tip off the merchant that something is afoot, do you think?

Here in France, where they have been using chip-and-PIN technology successfully for over a decade, many retailers have portable card reading terminals. They will take your card from you to insert into the reader and pass it back for you to enter your PIN. Not much opportunity to use your umbilically-challenged fake card there, then!

Even using fixed readers at the point of sale (POS), the fraudster would have to keep their hand in such an unnatural position throughout the transaction (whilst entering the PIN with their free hand) that it is beyond belief that alarms would not be raised (they would look like some weird, deformed, miniature concert pianist in action!)

In other words, even though a flaw in the EMV protocol has been discovered, to claim chip and PIN is broken is a bit harsh on the back of this. Indeed, simple physical protocol changes would be enough to foil any attempt to use this technology.

People are claiming that they have experienced fraudulent debits from their accounts via chip-and-PIN cards. The banks are denying liability because subsequent investigations show that a valid PIN number was entered. Leaving aside that it is highly unlikely that any of these fraudulent withdrawals have been made as a result of the Cambridge technology (nor is it likely any will be made in the near future) these sort of claims always make the papers.

The less-newsworthy reality is, however, that the majority of these withdrawals will be the result of careless disclosure of the PIN number (either by allowing someone an over-the-shoulder view when entering the PIN at the ATM, or by having a PIN "cheat sheet" stored in the wallet or purse) followed by theft or loss of the debit card. Human nature dictates that very few people will own up to these personal failures, and will instead blame the banks in an attempt to recover their money.