Photo: University of Cambridge
With identity theft fast becoming one of the most common crimes in the U.S., major lenders and banks are pushing to adopt the same EMV anti-fraud technology that’s been used widely overseas over the last decade. Unlike the typical magnetic strip cards we’re used to in the U.S., EMV-enabled cards are authenticated using an encrypted chip and pin number that can’t be easily cloned or copied by run-of-the-mill card skimmers or scanners.
Until now, EMV seemed pretty invincible. But a team of researchers from the UK say they’ve discovered a vital flaw in EMV-supported ATM machines that proves otherwise.
“A team of other researchers at Cambridge launched their research more than nine months ago, when they first began hearing from European bank card users who said they’d been victimized by fraud — even though they had not shared their PIN with anyone. The victims’ banks refused to reimburse the losses, arguing that the EMV technology made the claimed fraud impossible. But the researchers suspected that fraudsters had discovered a method of predicting the supposedly unpredictable number implementation used by specific point-of-sale devices or ATMs models.
When they studied physical bank ATMs, the team found the machines used fairly simple codes in order to authenticate the cards. All fraudsters have to do is guess the code––using malware or some other code generating device––and they could essentially gain access to the card without it ever leaving its owner’s wallet.
What’s more, the study’s authors say that even if the problems with the algorithms used by ATMs are patched, “a number of powerful attack variants may make pre-play attacks viable for years to come.”
For now, the study will at least give customers some klout when they petition their banks for refunds––and hopefully give bank regulators in the U.S. something to ponder before they go really heavy on EMV implementation.