Enter the EMV (named after Europay, Mastercard and Visa) protocol or "Chip and Pin".
This technology places a chip in every participating credit and/or debit card. The chip allows the user to digitally authorize a transaction at a point of sale terminal (POS) by using a pin number or signature. This feature was hailed as a panacea that would eliminate credit card fraud by adding another, digital, layer of complexity to the transaction.
To date there are over 1 billion EMV compliant smart cards in circulation worldwide. Here is a map of the areas in which EMV is deployed:
Great, so now over 1 billion card holders have bulletproof transactions right? WRONG.
In February 2010, Professor of Security Engineering Ross Anderson at Cambridge University, along with his colleagues, published and blogged about, a paper entitled "Chip and Pin is Broken".
As the title suggests, they found a fatal flaw in the current iteration of EMV. In their words:
"The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it’s doing a chip-and-signature transaction while the terminal thinks it’s chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists’ cards. The transactions went through fine and the receipts say “Verified by PIN”.
In order to prove their point, they built a test rig that would allow them to exploit this flaw in a real life situation, and they asked the BBC to tag along. Here are the results:
Isn't it funny how all the banks contacted by the BBC said EXACTLY THE SAME THING?!
Basically it's an industry problem, we're not the only ones using this technology. What is this Kindergarten?
So instead of apologizing profusely, alerting their customers and immediately fixing the problem, what do they do? They try to suppress the work done by the Cambridge team!
Here is a letter sent by the UK Cards Association to Cambridge. Here's a key quote:
"Our key concern, therefore, is that this type of research was ever considered suitable for publication by the University. It gives us cause to worry that future research, which may potentially be more damaging, may also be published in this level of detail."
"Consequently we would ask that this research be removed from public access immediately and would hope that you are able to give us comfort about your policy towards future disclosures."
Do you see the arrogance?
In other words they are saying: we know you exposed a serious flaw in our technology that consumers will end up paying for, but we don't want to do anything about it and bullying you into removing this information from the public domain is easier than fixing the problem.
Luckily, Professor Anderson is no pushover. He responded with a scathing letter back to the UK Cards Association. Some highlights:
"Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar’s, we have no choice but to back him. That would hold even if we did not agree with the material! Accordingly I have authorised the thesis to be issued as a Computer Laboratory Technical Report. This will make it easier for people to ﬁnd and to cite, and will ensure that its presence on our web site is permanent."
"You complain that our work may undermine public conﬁdence in the payments system. What will
support public conﬁdence in the payments system is evidence that the banks are frank and honest in
admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies. Your
letter shows that, instead, your member banks do their lamentable best to deprecate the work of those
outside their cosy club, and indeed to censor it."
I say we give a standing ovation to Professor Ross and his team, not only for doing excellent research in exposing this flaw, but also for standing their ground and refusing to be bullied by these incompetent and arrogant banksters.