ZDNet is reporting that "the body that oversees the technology behind chip-based payment cards is to investigate chip-and-PIN security, following claims that the protocol has been broken."
Chip-and-PIN flaw to be investigated by industry body Tom Espiner ZDNet UK
The specification body, EMVCo, said it will analyze a paper by researchers from Cambridge University, who demonstrated an attack with a valid payment card that did not require a valid PIN to be entered to complete a transaction.
EMVCo, owned by American Express, JCB, MasterCard and Visa, said those debit- and credit-card payment companies will also scrutinize the paper.
"EMVCo will conduct its own analysis and draw its own conclusions," said the organisation on Wednesday. "The payment systems will do the same."
Last week researchers from Cambridge University said they had found a fundamental flaw in EMV, the protocol behind chip-and-PIN payments. The flaw had allowed them to build a device that modified and intercepted communications between a card and a point-of-sale terminal, and fool the terminal into accepting that a PIN verification had succeeded.
MasterCard confirmed that it would be working with the other card-payment providers to review security around chip-and-PIN, but said this was part of an ongoing process.
"The EMV standard is under constant review by MasterCard and many other major industry players to make sure it evolves to meet emerging product needs," said MasterCard. "These efforts include a frequent and regular review of security to make sure the latest, practical mechanisms are used."
Professor Ross Anderson of Cambridge University, who led the chip-and-PIN research, said there would be no easy fix for the protocol.
"There is much disagreement about [effective] industry measures to fix the vulnerability," said Anderson. "If you look at our blog post [publicising the vulnerability], a significant number of people who claim to be industry experts disagree."
One of the researchers' assertions in their paper, Chip and PIN is Broken, was that the consumer would bear the cost of a fraudulent card transaction if records showed a PIN had been entered into a terminal.
Continue Reading at ZDNet
