How to hack Chip and PIN systems

A Cambridge University report on chip and PIN systems

A group of security researchers has published a paper on the security of Chip and PIN systems. The security researchers from Cambridge University have found various vulnerabilities in the current Chip and PIN systems which are being used world wide.

Earlier we published a report on how the wireless PIN systems are vulnerable to hackers. The Chip and PIN system also known as EMV has two critical vulnerabilities which allow hackers to clone cards effectively.

The research claims that normal bank procedures won’t spot the fake cards. 

Earlier the Cambridge University security researchers demonstrated how they hacked the most popular PEDs in the United Kingdom using a paper clip, a needle and a small recording device.

This attack can capture the card’s PIN because UK banks have opted to issue cheaper cards that do not use asymmetric cryptography to encrypt data between the card and PED.

In 2010 the Cambridge University published another vulnerability in the chip and PIN systems:

The EMV specification stack is broken, and needs fixing.

The latest vulnerability which has been published allows hackers to hack the chip and PIN system. The flaw is in the random number generator which is used by millions of users each day.

The payment terminal executes the EMV protocol with the chip, which exchanges selected transaction data sealed with a cryptographic message authentication code (MAC) calculated using a symmetric key stored in the card and shared with the bank which issued the card. The user is verified by using the PIN.

The security researchers have published their report on the Chip and PIN systems for the following reason:

We are now publishing the results of our research so that customers whose claims for refund have been wrongly denied have the evidence to pursue them, and so that the crypto, security and bank regulation communities can learn the lessons.

Download the paper