A bit OT: For our european friends

Date: Thu, 11 Feb 2010 18:29:12 -0500
From: David Magda <dmagda@ee.ryerson.ca>
Subject: EMV busted

Seems that the EMV standard has been compromised:

> “Chip and PIN is fundamentally broken,” Professor Ross Anderson of
> Cambridge University told ZDNet UK. “Banks and merchants rely on the words
> ‘Verified by PIN’ on receipts, but they don’t mean anything.”

http://news.zdnet.co.uk/security/0,1000000189,40022674,00.htm

More reports:

http://resources.zdnet.co.uk/articles/0,1000001991,40022669,00.htm
http://www.telegraph.co.uk/science/science-news/7215920/
http://www.physorg.com/news185118205.html

Anderson’s paper is available:

http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/

EMV is called often called “Chip and PIN”, as well as “Chip Card” in Canada.

Some financial institutions put a lot of stock in the security of this:

> You are responsible for the full amount of all authorized activity or
> other Transactions resulting from use of the Card or Connect ID and PINor
> Password by any person, including any entry error or fraudulent or
> worthless deposit at an ABM or other machine. You are responsible for the
> full amount of all unauthorized activity or other Transactions which occur
> before we receive notification that your PIN, Password or Card was lostor
> stolen or that your Connect ID, PIN or Password may have become known to
> an unauthorized person. On receiving such notice from you we will block
> the Card’s, PIN’s or Connect ID’s ability to access our services and/or
> the use of a Card or the Account.

https://www.tdcanadatrust.com/tdvisa/pdf/select.pdf (column 9)

In many cases, the banks’ (now no longer trust-worthy) logs are the
definitive record:

> Our records will be conclusive proof of use of a Card or the Account or
> electronic services and will be considered your written request to perform
> the Transaction. Even though you may be provided with a Transaction
> receipt, verification or confirmation number, or interim statement by or
> through an ABM or other machine, the following applies to all Transactions
> or other activity on the Account:

> * our acceptance, count and verification of Transactions or deposits
> will be considered correct and binding unless there is an obvious error
> …]

(Ibid.)

Some are a bit more reasonable, but if your card has been cloned (and put
back in your wallet/purse), you may not notice the problem until too late:

> If someone uses your Visa Card and your PIN or your Visa Account number
> with any other security code to make unauthorized purchases or otherwise
> obtain the benefits of your Visa Card, you will not be responsible for
> those charges provided that you (i) are able to establish to our
> reasonable satisfaction that you have taken reasonable steps to protect
> your Visa Card …] and (ii) cooperate fully with our
> investigation. …]

> You are not responsible for unauthorized use of your Visa Card or your
> Visa Account number in transactions in which neither a PIN nor a security
> code is used as the cardholder verification method.

http://www.rbcroyalbank.com/cards/documentation/pdf/ch-agreement.pdf

This does not belong in Applications. Moving it to General Chit-Chat

Not compromised; it was always like that. Just that the crooks apparently didn’t find out.

In practice, Internet fraud has been a bigger problem and my card provider now uses two different types of secondary check on Internet transactions which has dramatically reduced Internet fraud.