Tag Archives: Ross Anderson

[Security] Credit Card Authorization Compromised

Security experts from the Computer Laboratory of the University of Cambridge have compromised the electronic autorization and verification process of major credit and debit cards like EC-Card, Eurocard, Mastercard and VISA (EMV).

The computer scientists team around Steven Murdoch found a flaw in the in the EMV protocol which allows criminals to use a stolen genuine card to make a payment without knowing the card’s PIN.

Using a man-in-the-middle attack they trick the electronic terminal into believing the PIN was verified correctly while telling the terminal to step back into signature based authorization mode.

This being said, credit card companies and banks worldwide will not be able to hide behind the phrase that their systems are secure and that customers who have been stolen credit cards have not observed the rule to destroy their credit card’s PIN. Insurance companies take care: customers recurse receivables against issueing banks are coming.

Links:
» IEEE Symposium on Security and Privacy: Chip and PIN is Broken (PDF)
» BBC.co.uk: New flaws in chip and PIN system revealed
» University of Cambridge: Computer Laboratory

Documentary is courtesy of BBC.co.uk