It has now been two weeks since we published our paper “Chip and PIN is broken”. Here, we presented the no-PIN attack, which allows criminals to use a stolen Chip and PIN card, without having to know its PIN. The paper has triggered a considerable amount of discussion, on Light Blue Touchpaper, Finextra, and elsewhere.
One of the topics which has come up is the effect of the no-PIN vulnerability on the consideration of evidence in disputed card transactions. Importantly, we showed that a merchant till-receipt which shows “PIN verified” cannot be relied upon, because this message will appear should the attack we presented be executed, even though the wrong PIN was entered.
On this point, the spokesperson for the banking trade body, the UK Cards Association (formerly known as APACS) stated:
“Finally the issuer would not review a suspected fraud involving a PIN and make a decision based on the customer’s paper receipt stating that the transaction was “PIN verified”, as suggested by Cambridge.”
Unfortunately card issuers do precisely this, as shown in a recent dispute over £9,500 worth of point-of-sale transactions, between American Express and a customer. In their letter to the Financial Ombudsman Service, American Express presented the till receipt as the sole evidence that the PIN was correctly entered:
“We also requested at the time of this claim, supporting documents from [the merchant] and were provided a copy of the till receipts confirming these charges were verified with the PIN.”
Requests to American Express for the audit logs that include the CVR (card verification results), which would have shown whether or not the no-PIN attack had been used, were denied. The ombudsman nevertheless decided against the customer.
The issue of evidence in disputed transaction cases is complex, and wider than questions raised by just the no-PIN attack. To help bring some clarity, I wrote an article, “Reliability of Chip & PIN evidence in banking disputes”, for the 2009 issue of the Digital Evidence and Electronic Signature Law Review, a law journal. This article was written for a legal audience, but would also be suitable for other non-technical readers. It is now available online (PDF 221 kB).
In this article, I give an introduction to payment card security, both Chip & PIN and its predecessors. Then, it includes a high-level description of the EMV protocol which underlies Chip & PIN, with an emphasis on the evidence it generates. A summary of various payment card security vulnerabilities is given, and how their exploitation might be detected. Finally, I discuss methods for collecting and analyzing evidence, along with difficulties currently faced by customers disputing transactions.
Is there any way for me as end-user to know whether my cards are vulnerable to the no-PIN attack? I am using a MC credit and VISA electron debit card from HSBC in Brazil. The former allows signature verifications, but this usually only happens in terminals that have no chip reader.
@Han-Wen
It varies country to country, and there’s no way to know for sure except trying the attack out on the live system and seeing whether it works. I don’t know what the situation is in Brazil.
Hi,,how if we do the opposite,well am writting new paper and suggesting that by using Mobile Phone,,we let the customer to read from merchant POS (instead of current situation where POS read customer card information), then the payment process goes to customer bank via mobile phone network,,if the payment approved,,customer bank will deposit the money to merchant’s bank account and then merchant bank inform the merchant via POS network..by this way we avoid keeping customer information at merchant internal POS network/server. How is it? pls send me email for any new ideas.