Following high profile breaches at large retailers and restaurant chains in the past 12 months there is a push in the US to move to chip-equipped payment cards. For the past 10 years or so, the EMV payment system (Europay, Mastercard, Visa) is the de facto payment system in Europe and is also widely used around the world.
In order to push wide spread EMV use in the US, the cards brands will shift liability in October 2015, any parties that haven’t deployed the system will be held liable in the case of fraudulent transactions.
A security engineering professor at Cambridge University with 25 years experience in payment systems security, Ross Anderson points out that EMV specification suffers from regulatory and security issues some of which have been exploited in real-world attacks. On Thursday, at the Blackhat security conference in Las Vegas, Anderson suggested two types of attacks possible agains EMV implementations. He suggests that Banks have tried to label these as impractical or too complex for for cyber-criminals to carry out. The two examples are”preplay” and “no PIN”.
The sophisticated EMV attacks that Anderson warns against are not usually used by criminals since its much easier to abuse the EMV today because the countries in which the system is not deployed the current system is also designed to work with payment terminals and ATMs. However, with the authorities pushing to deploy EMV, these attacks are a real possibility.
In light of the better consumer protection offered in the US, compared to Europe, it will be interesting to see if banks in the US will try to shift liability to consumers for PIN authorized EMV transactions. He further explained that EMV specification in the present day is quite complex and thus mistakes can be made in its implementation, he suggested that it is not necessary that transactions will be safer using EMV, you can make a good or a bad system using EMV depending on how much attention you pay.
Zaichkowsky suggests that one technology that has a better chance in preventing attackers is end-to-end encryption from the card reader to the payment processor’s back end systems. Similar suggestions have been made by other security experts for years, but adoption is slow since it requires POS terminals with new ones that support the new technology. Zaichkowsky says that since now in the US many will have to change their terminals to support EMV, it would be better to choose terminals that offer data encryption at the reader.