EMV(Europay, MasterCard, Visa) is the standard with the pin and chip technology which the US has finally moved to on October 1st of this year.
Since EMV history and about https://www.emvco.com/about_emv.aspx
So it is good that we have gotten up to speed from our days of just mag stripe and pin number. But since the standard has been here since the early 2000’s and in place in Europe for a while now, it should not be a surprise that a criminal found a way to hack the standard:
http://eprint.iacr.org/2015/963.pdf is the paper by Houda Ferradi, Rémi Géraud, David Naccache, and Assia Tria
Which describe an attack using a MITM (Man In The Middle) attack on the EMV transaction:
A typical EMV transaction breaks down into three phases:
(1) card authentication,
(2) cardholder verification and
this special chip (hobbyist chip) built to make the attack happen.
The FUN chip was built and placed on top of a stolen credit card.
What happened was that the FUN chip was able to inject enough information (a ‘new’ PIN# and maybe other banking info) to steal money from banks and/or certain individuals.
They stole a bit under €600,000 with 40 cards.
My first thoughts were that this is yet another example of a sophisticated criminal attack. This type of attack was “fixed” by the banks and software companies in Europe, but I can see a much more sophisticated execution stealing more money and creating a big problem in the US.
What does it mean to liabilities for fraud in this scale? Who is at fault? Yes one can put the criminals behind bars, but what if this is a bit more grey…
We have to have methods to understand what is happening in our transactions quickly so an investigation can shut a new attack down…
Just because we have Pin and Chip does not mean we are now safe.