Cambridge researcher demonstrates flaw in EMV on TV
Cambridge researcher Saar Drimer recently demonstrated in German TV how easy it is to bypass the PIN verification at an EMV POS-terminal (http://blog.br-online.de/report-muenchen/2010/09/03/neue-chips-im-visier-der-kreditkartenmafia.html). Saar equipped himself with a modified credit card having a cable linked to a computer in his backpack. He then makes a credit card transaction, where he enters the PIN ’0000′, and demonstrates how the transaction is approved even though the PIN was fake and the receipt tells the cafe-owner that transaction was approved. Saar together with Steven Murdoch and Ross Andersson some time ago released the report “Chip and PIN is Broken”, explaining a serious flaw in the EMV chip that enables an attacker to completely bypass the PIN-verification on the chip card, and was covered in an earlier post.
In the TV-report, Ross Andersson and Steven Murdoch further explain the complexity of EMV, indicating it’s to complex to be verified. Something one could consider would be to make it formally verifiable, which effectively would reduce the specification to few pages.
