French forensics researchers have dissected a real-world case in which criminals have outsmarted the chip-and-pin system with a seamless chip-switching trick—and pulled off the feat with a slip of plastic that’s almost indistinguishable from a normal credit card.
Ken Westin, Senior Security Analyst at Tripwire, says: “As the U.S. moves to chip and PIN, many are mistaken in thinking that this will end the rash of retail breaches. Chip and PIN will not mitigate the mass exfiltration of credit cards from retailers, but instead will make card-present related fraud more difficult as it makes card counterfeit difficult. This will help to decrease the number of breaches, but simply due to less demand in underground markets for the stolen credit cards.
Even with chip and PIN many of the vulnerabilities in point-of-sale and payment systems will still remain. These criminal syndicates are also highly persistent and will continue to find vulnerabilities in these systems, including chip and PIN.”
Tim Erlin, Director of Security and Product Management at Tripwire adds: “Because the US is implementing the less secure ‘chip-and-signature’ instead of ‘chip-and-pin,’ this specific attack isn’t relevant in the United States.
Security researchers have had little doubt that criminals would ultimately find ways to defeat the protections EMV provides. Securing these transactions isn’t something that’s ever finished. It’s an ongoing arms race.
While this attack allows for the use of a stolen card, it doesn’t provide the ability to create counterfeit cards from stolen data, which is the primary use case against which EMV protects.”