Thursday, March 17, 2011

Credit Card skimming and PIN harvesting in an EMV world

Chip & PIN is definitely broken

At the CanSecWest security conference held in Vancouver last week, four security researchers demonstrated the practicability of chip card skimming attacks – both with an insecure class of chip (SDA) and with a class that has been considered secure (DDA). EC and credit cards chipped according to EMV specifications are designed to hamper "skimming", an attack method which involves intercepting a user's card and PIN data.

Skimming attacks aren't an altogether new idea and can also be carried out via such devices as keyboard attachments. In their presentation, entitled "Credit Card skimming and PIN harvesting in an EMV world" , however, the four researchers describe how a flat circuit board inside the card slot can be used to intercept and manipulate the communication between terminal and chip in order to obtain a user's PIN. A circuit board is far more discrete than a wobbly, glued-on attachment.


Download: PDF

No comments: