Monday, August 1, 2011

Legacy Support Leaves Chip-And-PIN Vulnerable, Researcher Says

Black Hat talk will show that security and backwards compatibility are at odds in popular authentication technology

Jul 31, 2011 | 12:38 PM
By Robert Lemos, Contributing Writer 
Dark Reading


Vulnerabilities in the increasingly popular chip-and-PIN authentication technology used in credit cards could make it easy for attackers to steal data at the point of sale, a researcher says. At the Black Hat USA conference in Las Vegas this week, Andrea Barisani, chief security engineer for secure design consultancy Inverse Path, will join with colleagues to show how flaws in chip-and-PIN -- which is becoming a standard in Europe and Asia -- can be easily exploited.
Chip-and-PIN systems are designed to support legacy transactions -- including the transmission of the card's password or PIN in plain text, Barisani observes. As a result, it can be a trivial matter for an attacker to install a skimmer on a point-of-sale terminal and steal the credit card data.
Barisani says these flaws can be found in current and emerging credit card systems, including the EuroPay-Mastercard-Visa (EMV) system that is being implemented worldwide. While EMV supports three types of cards -- older magnetic stripe cards, current chip cards, and more secure chip cards -- skimmers can force transactions to use the least secure transaction method, he warns.
"EMV is broken," Barisani says. "In order to fix the problem, they will have to change the standard and break compatibility with older cards."  read more
Enhanced by Zemanta

Disqus for ePayment News