Editing EMV (section)

==Vulnerabilities==

=== Opportunities to harvest PINs and clone magnetic stripes ===
In addition to the track-two data on the magnetic stripe, EMV cards generally have identical data encoded on the chip, which is read as part of the normal EMV transaction process. If an EMV reader is compromised to the extent that the conversation between the card and the terminal is intercepted, then the attacker may be able to recover both the track-two data and the PIN, allowing construction of a magnetic stripe card, which, while not usable in a Chip and PIN terminal, can be used, for example, in terminal devices that permit fallback to magstripe processing for foreign customers without chip cards, and defective cards. This attack is possible only where (a) the offline PIN is presented in plaintext by the PIN entry device to the card, where (b) magstripe fallback is permitted by the card issuer and (c) where geographic and behavioural checking may not be carried out by the card issuer.{{citation needed|date=March 2020}}

[[APACS]], representing the UK payment industry, claimed that changes specified to the protocol (where card verification values differ between the magnetic stripe and the chip – the iCVV) rendered this attack ineffective and that such measures would be in place from January 2008.<ref>{{cite web|url=http://news.bbc.co.uk/1/hi/programmes/newsnight/7265888.stm|title=How secure is Chip and PIN?|publisher=BBC Newsnight|date=2008-02-26}}</ref> Tests on cards in February 2008 indicated this may have been delayed.<ref>{{cite web| url=http://www.cl.cam.ac.uk/research/security/banking/ped/ |title=PIN Entry Device (PED) vulnerabilities |author=Saar Drimer |author2=Steven J. Murdoch |author3=Ross Anderson |publisher=University of Cambridge Computer Laboratory |access-date=10 May 2015}}</ref>

==== Successful attacks ====
Conversation capturing is a form of attack which was reported to have taken place against [[Royal Dutch Shell|Shell]] terminals in May 2006, when they were forced to disable all EMV authentication in their petrol stations after more than £1 million was stolen from customers.<ref>{{cite news |url=http://news.bbc.co.uk/2/hi/uk_news/england/4980190.stm |title=Petrol firm suspends chip-and-pin |work=BBC News |date=6 May 2006 |access-date=13 March 2015}}</ref>

In October 2008, it was reported that hundreds of EMV card readers intended for use in Britain, Ireland, the Netherlands, Denmark, and Belgium had been tampered with in China during or shortly after manufacture. For nine months, details and PINs of credit and debit cards were sent over mobile phone networks to criminals in [[Lahore]], Pakistan. United States National Counterintelligence Executive Joel Brenner said, "Previously only a nation state's intelligence agency would have been capable of pulling off this type of operation. It's scary." Stolen data was typically used a couple of months after the card transactions to make it harder for investigators to pin down the vulnerability. After the fraud was discovered it was found that tampered-with terminals could be identified as the additional circuitry increased their weight by about 100 grams. Tens of millions of pounds are believed to have been stolen.<ref>{{cite news |title=Organized crime tampers with European card swipe devices |publisher=The Register |date=10 October 2008 |url=https://www.theregister.co.uk/2008/10/10/organized_crime_doctors_chip_and_pin_machines/}}</ref> This vulnerability spurred efforts to implement better control of POS devices over their entire lifecycle, a practice endorsed by electronic payment security standards like those being developed by the Secure POS Vendor Alliance (SPVA).<ref>{{cite web|title=Technical Working Groups, Secure POS Vendor Alliance |year=2009 |url=http://www.spva.org/technicalWorking.aspx/ |url-status=dead |archive-url=https://web.archive.org/web/20100415180123/http://www.spva.org/technicalWorking.aspx |archive-date=15 April 2010 }}</ref>

==== PIN harvesting and stripe cloning ====
In a February 2008 BBC ''[[Newsnight]]'' programme Cambridge University researchers [[Steven Murdoch]] and Saar Drimer demonstrated  one example attack, to illustrate that Chip and PIN is not secure enough to justify passing the liability to prove fraud from banks onto customers.<ref>{{Cite news| url=http://news.bbc.co.uk/1/hi/programmes/newsnight/7265437.stm | work=BBC News | title=Is Chip and Pin really secure? | date=26 February 2008 | access-date=2 May 2010}}</ref><ref>{{cite news
 |title=Chip and pin
 |url=https://www.bbc.co.uk/consumer/tv_and_radio/watchdog/reports/insurance_and_finance/insurance_20070206.shtm
 |date=6 February 2007
 |df=dmy
 |archive-url=https://web.archive.org/web/20070705052347/http://www.bbc.co.uk/consumer/tv_and_radio/watchdog/reports/insurance_and_finance/insurance_20070206.shtml
 |archive-date=5 July 2007
 |url-status=dead
}}</ref> The Cambridge University exploit allowed the experimenters to obtain both card data to create a magnetic stripe and the PIN.

[[APACS]], the UK payments association, disagreed with the majority of the report, saying "The types of attack on PIN entry devices detailed in this report are difficult to undertake and not currently economically viable for a fraudster to carry out."<ref>{{cite news |author=John Leyden |date=27 February 2008 |title=Paper clip attack skewers Chip and PIN |publisher=The Channel |url=http://www.channelregister.co.uk/2008/02/27/credit_card_reader_security_pants/ |access-date=10 May 2015}}</ref> They also said that changes to the protocol (specifying different card verification values between the chip and magnetic stripe – the iCVV) would make this attack ineffective from January 2008.

In August 2016, [[NCR Corporation]] security researchers showed how credit card thieves can rewrite the code of a magnetic strip to make it appear like a chipless card, which allows for counterfeiting.{{citation needed|date=March 2020}}

===2010: Hidden hardware disables PIN checking on stolen card===
{{Wikinews|Chip and PIN 'not fit for purpose', says Cambridge researcher}}
On 11 February 2010 Murdoch and Drimer's team at Cambridge University announced that they had found "a flaw in chip and PIN so serious they think it shows that the whole system needs a re-write" that was "so simple that it shocked them". A stolen card is connected to an electronic circuit and to a fake card which is inserted into the terminal ("[[man-in-the-middle attack]]"). Any four digits can be typed in and accepted as a valid PIN.<ref name=EMVPINverificationwedgevulnerability>{{cite web
| author = Steven J. Murdoch |author2=Saar Drimer |author3=Ross Anderson |author4=Mike Bond
| title = EMV PIN verification "wedge" vulnerability
| publisher = Computer Laboratory, University of Cambridge
| url = http://www.cl.cam.ac.uk/research/security/banking/nopin/
| access-date = 2010-02-12}}</ref><ref name=BBC201002>{{cite news |author=Susan Watts |url=https://www.bbc.co.uk/blogs/newsnight/susanwatts/2010/02/new_flaws_in_chip_and_pin_syst.html |work=BBC News |title=New flaws in chip and pin system revealed |date=11 February 2010 |access-date= 2010-02-12}}</ref>

A team from the BBC's ''Newsnight'' programme visited a Cambridge University cafeteria (with permission) with the system, and were able to pay using their own cards (a thief would use stolen cards) connected to the circuit, inserting a fake card and typing in "0000" as the PIN. The transactions were registered as normal, and were not picked up by banks' security systems. A member of the research team said, "Even small-scale criminal systems have better equipment than we have. The amount of technical sophistication needed to carry out this attack is really quite low." The announcement of the vulnerability said, "The expertise that is required is not high (undergraduate level electronics). We dispute the assertion by the banking industry that criminals are not sophisticated enough, because they have already demonstrated a far higher level of skill than is necessary for this attack in their miniaturized PIN entry device skimmers." It was not known if this vulnerability had been exploited, but it could explain unresolved cases of claimed fraud.<ref name=BBC201002/>

EMVCo disagreed and published a response saying that, while such an attack might be theoretically possible, it would be extremely difficult and expensive to carry out successfully, that current compensating controls are likely to detect or limit the fraud, and that the possible financial gain from the attack is minimal while the risk of a declined transaction or exposure of the fraudster is significant.<ref>{{cite web
 |title        = Response from EMVCo to the Cambridge University Report on Chip and PIN vulnerabilities ('Chip and PIN is Broken' – February 2010)
 |publisher    = EMVCo
 |url          = http://www.emvco.com/documents/EMVCo_response_to_Cambridge_Report.pdf
 |access-date   = 2010-03-26
 |archive-url  = https://web.archive.org/web/20100508040131/http://www.emvco.com/documents/EMVCo_response_to_Cambridge_Report.pdf
 |archive-date = 8 May 2010
 |url-status     = dead
 |df           = dmy-all
}}</ref> The Cambridge team disagrees: they carried it out without the banks noticing, with off-the-shelf equipment with some non-sophisticated additions. Less bulky versions could easily be made. The ones producing such equipment for the attack need not put themselves at risk, but can sell it to anybody via the Internet.<ref name=BBC201002/>

When approached for comment, several banks (Co-operative Bank, Barclays and HSBC) each said that this was an industry-wide issue, and referred the ''Newsnight'' team to the banking trade association for further comment.<ref>{{cite web| last1=Susan| first1=Watts| title=New flaws in chip and pin system revealed (11 February 2010)| url=https://www.bbc.co.uk/blogs/newsnight/susanwatts/2010/02/new_flaws_in_chip_and_pin_syst.html |website=Newsnight|publisher=BBC|access-date=9 December 2015}}</ref> According to Phil Jones of the [[Which?|Consumers' Association]], Chip and PIN has helped to bring down instances of card crime, but many cases remain unexplained. "What we do know is that we do have cases that are brought forward from individuals which seem quite persuasive."{{citation needed|date=March 2020}}

The attack uses the fact that the choice of authentication method is unauthenticated, which allows the man in the middle. The terminal asks for a PIN, gets it and gets the transaction confirmed by the card – which thinks it is doing a card-and-signature transaction, which could indeed succeed offline. It also works online, perhaps because of insufficient checks.<ref>{{cite web |url=https://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/ |title=Chip and PIN is broken |date=2010-02-11 |author=Ross Anderson |quote=It’s no surprise to us or bankers that this attack works offline [...] the real shocker is that it works online too}}</ref>

Originally, bank customers had to prove that they had not been negligent with their PIN before getting redress, but UK regulations in force from 1 November 2009 placed the onus on banks to prove that a customer has been negligent in any dispute, with the customer given 13 months to make a claim.<ref name=bankliable>{{cite news |author=Richard Evans |date=15 October 2009 |url=https://www.telegraph.co.uk/finance/personalfinance/consumertips/banking/6338659/Bank-payments-13-months-to-dispute-suspicious-transactions.html |archive-url=https://web.archive.org/web/20091021224314/http://www.telegraph.co.uk/finance/personalfinance/consumertips/banking/6338659/Bank-payments-13-months-to-dispute-suspicious-transactions.html |url-status=dead |archive-date=21 October 2009 |newspaper=The Telegraph |title=Card fraud: banks now have to prove your guilt |access-date=10 May 2015}}</ref> Murdoch said that "[the banks] should look back at previous transactions where the customer said their PIN had not been used and the bank record showed it has, and consider refunding these customers because it could be they are victim of this type of fraud."<ref name=BBC201002/>

===2011: CVM downgrade allows arbitrary PIN harvest===
At the CanSecWest conference in March 2011, Andrea Barisani and Daniele Bianco presented research uncovering a vulnerability in EMV that would allow arbitrary PIN harvesting despite the cardholder verification configuration of the card, even when the supported CVMs data is signed.<ref>{{cite web |url=http://dev.inversepath.com/download/emv/emv_2011.pdf |year=2011 |publisher=Aperture Labs |title=Chip & PIN is definitely broken |author1=Andrea Barisani |author2=Daniele Bianco |author3=Adam Laurie |author4=Zac Franken |access-date=10 May 2015 |archive-date=19 October 2015 |archive-url=https://web.archive.org/web/20151019074927/http://dev.inversepath.com/download/emv/emv_2011.pdf |url-status=dead }}</ref>

The PIN harvesting can be performed with a chip skimmer. In essence, a CVM list that has been modified to downgrade the CVM to Offline PIN is still honoured by POS terminals, despite its signature being invalid.<ref>{{cite web |url=http://dev.inversepath.com/download/emv/blackhat_df-whitepaper.txt |title=EMV – Chip & Pin CVM Downgrade Attack |author=Adam Laurie |author2=Zac Franken |author3=Andrea Barisani |author4=Daniele Bianco |publisher=Aperture Labs and Inverse Path |access-date=10 May 2015 |archive-date=19 October 2015 |archive-url=https://web.archive.org/web/20151019074927/http://dev.inversepath.com/download/emv/blackhat_df-whitepaper.txt |url-status=dead }}</ref>

===PIN bypass===
In 2020, researchers David Basin, Ralf Sasse, and Jorge Toro from [[ETH Zurich]] reported<ref>{{Cite journal|last=D. Basin, R. Sasse, J. Toro-Pozo|title=The EMV Standard: Break, Fix, Verify|url=https://www.computer.org/csdl/proceedings-article/sp/2021/893400a629/1oak9cbOGuQ|journal=2021 IEEE Symposium on Security and Privacy (SP)|year=2020|pages=1766–1781|arxiv=2006.08249}}</ref><ref name=":0">{{Cite web|title=The EMV Standard: Break, Fix, Verify|url=https://emvrace.github.io/}}</ref> a security issue affecting [[Visa Inc.|Visa]] contactless cards: lack of cryptographic protection of critical data sent by the card to the terminal during an EMV transaction. The data in question determines the cardholder verification method (such as PIN verification) to be used for the transaction. The team demonstrated that it is possible to modify this data to trick the terminal into believing that no PIN is required because the cardholder was verified using their device (e.g. smartphone). The researchers developed a proof-of-concept [[Android (operating system)|Android]] app that effectively turns a physical Visa card into a mobile payment app (e.g. [[Apple Pay]], [[Google Wallet|Google Pay]]) to perform PIN-free, high-value purchases. The attack is carried out using two [[Near-field communication|NFC]]-enabled smartphones, one held near the physical card and the second held near the payment terminal. The attack might affect cards by [[Discover Financial|Discover]] and China's [[UnionPay]] but this was not demonstrated in practice, in contrast to Visa cards.

In early 2021, the same team disclosed that [[Mastercard]] cards are also vulnerable to a PIN bypass attack. They showed that criminals can trick a terminal into transacting with a Mastercard contactless card while believing it to be a Visa card. This ''card brand mixup'' has critical consequences since it can be used in combination with the PIN bypass for Visa to also bypass the PIN for Mastercard cards.<ref name=":0" />