Picture this: A guy walks into a London pub, orders a pint of bitter and slaps down his Visa card for payment. The bloke on the barstool next to him casually passes his smartphone over the guy’s plastic and walks out.
That’ll leave a harsh taste: The guy at the bar just had his pocket picked electronically via the card’s embedded microchip, for a potential $1 million payout.
Impossible? Get out your tin foil caps, amigos; we’re taking a trip to Tech Town, courtesy of reportage from Wired.
Researchers at Newcastle University in the UK recently discovered a new and alarming vulnerability in the EMV chip system developed by Europay, MasterCard and Visa. Their study, “Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards Without the PIN,” was presented at this month’s ACM Conference on Computer and Communications Security in Scottsdale, Arizona.
The news could prove unsettling given that EMV card use is not only pretty much ubiquitous everywhere but here in mag-stripe land, but also because the critical flaw — foreign currency purchases — had heretofore been considered a marketing strength of cards in general and chip-and-PIN in particular.
Here’s how it works (or rather, doesn’t): British EMV cards that don’t require contact with a card reader are allowed to make contactless purchases of up to $32 via phone without a PIN. Because these transactions are carried out offline, they avoid any bothersome additional security checks by, say, a banking system.
But when a contactless chip card purchase is made involving a foreign currency, the system bypasses the $32 limit and allows PIN-less purchases of up to a $1 million in any foreign currency.
“All the checks are carried out on the card rather than the terminal so at the point of transaction, there is nothing to raise suspicions,” lead researcher Martin Emms said in a
statement about the findings. “By pre-setting the amount you want to transfer, you can bump your mobile against someone’s pocket or swipe your phone over a wallet left on a table and approve a transaction. In our tests, it took less than a second for the transaction to be approved. This lends itself to multiple attackers across the world collecting small transactions of perhaps 200 pounds ($320) at a time for a central rogue merchant who could be located anywhere in the world.”
I guess that last bit was for any card hackers out there unable
to connect the dots.
Anyway, the timing of the Newcastle findings throws an ill-tempered pint of bitter over the ongoing U.S.
rollout of EMV cards. Frustrated by merchant entrenchment against laying out for expensive point-of-sales adjustments to accommodate chip cards, the major card processing networks (American Express, Discover, MasterCard and Visa) have drawn Oct. 1, 2015, as their line in the sand, after which card-present fraud liability will shift to whichever party is least EMV compliant in a suspect transaction.
Here’s hoping the seven-digit Newcastle glitch will be nothing but a faded memory by then.