Chip and PIN is Broken
EMV
Smart card based payments
Credit and Debit
Point-of-sale and ATM
Makes card cloning harder
Allows PIN-based authentication, even for offline transactions
EMV is deployed or in planning in most countries
except the US, but vendors are working hard to change this
online banking
card-not present
checks
False applications
Security
does not affect
Lost and stolen
down 53% to £54.1m
Mail non receipt
down 86% to £10.2m
Counterfeit
up 31% to £169m
card not present
False applications
online banking
checks
up 330% to £52.5m
up 118% to £328.4m
down 9% to £41.9m
up 28% to £47.4m
Effect on fraud
Total fraud in the UK
dip in 2005—2006,
but up 25% to £704.3m
card authentication
cardholder verification
transaction authorization
Card to Terminal: card details, digital signature
Terminal to Card: PIN as entered by customer 
Card to Terminal: PIN correct (yes/no)
Terminal to Card: description of transaction
Card to Terminal: MAC over transaction and other details
customer enters PIN
MAC and transaction sent to bank for verification
Bank to Terminal: transaction authorized (yes/no)
online transaction authorization
A simplified EMV
transaction
amount, currency, date, nonce, TVR, etc 
did PIN verification fail?
was PIN required and not entered?
...

What went wrong?
If the PIN is not required by the terminal, the TVR is all zeros
If the PIN is entered correctly, the TVR is still all zeros 
A man-in-the middle tell the card that the PIN was not required
and the terminal that the PIN was correct
Now the criminal can use a stolen card,
give the wrong PIN to the terminal
and still have the transaction succeed
MAC and transaction sent to bank for verification
Terminal to MitM:                 entered by criminal 
How the attack
works
Card to Terminal: MAC over transaction and other details
transaction authorization
did PIN verification fail?
was PIN required and not entered?
...

Bank to Terminal: transaction authorized (yes/no)
MitM to Terminal: PIN correct
card authentication
amount, currency, date, nonce, TVR, etc 
criminal enters 0000
Card to Terminal: card details, digital signature
online transaction authorization
Terminal to Card: description of transaction
cardholder verification
card authentication
Messages relayed without modification
cardholder verification
transaction authorization
Messages relayed without modification
0000
yes!
Card: No (not required)
Terminal: No (was entered)
The EMV protocol
and its flaws
They were wrong
Used on 750m cards, billions of pounds, euros, dollars
Banks claim EMV is infallible, so  victims do not get their money back
Many customers claim that their card has been stolen and used
BBC Newsnight, February 2010
EuroPay
MasterCard
Visa
Steven J. Murdoch, Saar Drimer, Ross Anderson, Mike Bond
Responses
"When a card company receives a claim about a fraudulent transaction from a customer, they will always rely on primary evidence to review the facts of the case and would never use a paper receipt (which in fact they could only see if the customer provided the copy) for evidence as suggested."
WRONG
"The industry is confident that the forensic signature of such an attack is easily detectable within the data available at the time of the transaction."
WRONG
0x08 = PIN entry required, PIN pad present, but PIN was not entered 
In addition to the TVR, the card produces a CVR (card verification results) and the terminal may optionally produce a CVMR (cardholder verification method result)
In our attack, the CVR will not match the CVMR
We hear that the industry are working on a defence based on comparing the CVR and CVMR, but it is not quite that simple:
Sometimes the CVMR is not produced by the terminal (it is optional)
Sometimes it is produced but wrong (it has not been considered useful, until now)
Sometimes it is produced but dropped or corrupted on the way back
How is ATM fraud happening
Card: No (not attempted)
Terminal: No (verification succeeded)
44% according to latest figures
Data from APACS (2009)
"Neither the banking industry nor the police have any evidence of criminals having the capability to deploy such sophisticated attacks. Our research suggests that criminal interest in chip-based attacks is minimal at this time as they are unable to find ways to make sufficient amounts of money from any of the plausible attack scenarios."
WRONG