Yes, it’s time to go hit your local university library again (or just join the Association for Computing Machinery) to see a great article from Anderson & Murdoch entitled, “Inside Risks EMV: Why Payment Systems Fail.” For those of us in the US that are now on the cusp of a wide-scale EMV rollout, there are still many questions that need to be answered. Drs. Anderson and Murdoch do a great job of summarizing the issues that we will face here in the US, including some of the attacks that were common in other implementations of EMV.
Turns out, the French may be the best experts at cracking this thing.
EMV tokens make an appearance in the article, but there is not much detail on what they are or how they work. You can find out more here.
A couple of key notes:
- Our version of EMV here in the US is a hybrid between Singapore and the UK.
- There are still questions on how PIN will work (does it ride Debit rails? What about Credit w/PIN?).
- Counterfeit terminals may be the biggest issue for fraud by forcing chip cards through the magstripe reader.
- Offline PIN verification remains a significant weakness in the system.
- Fraud losses with EMV are higher than I thought, demonstrating it’s not the golden ticket to safety that Target has based their PR blitz on.