Researchers at the University of Cambridge this week revealed that they had identified a troubling defect in the propagation of one-off chip and PIN verification codes for EMV transactions. The flaw makes it possible for thieves to predict the next code that will be created by an ATM or POS terminal and essentially skim the smart card.
When an EMV-enabled card is used, a supposed "unpredictable number" is created to authenticate the transaction. However, an Information Age report said, when researchers tested chip cards at ATM terminals, they discovered that numbers issued by some terminals followed a pattern that could be identified and used to falsify transactions.
Visiting professor Mike Bond discovered the problem while reviewing a list of UNs that had been generated by an ATM in an apparent case of fraud. He and fellow researchers then tested a number of ATMs and found that some had faulty number generators.
"If you can predict [a UN], you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location," Bond told Information Age. "You can as good as clone the chip."
Thieves can exploit this weakness either by locating a predictable number-generating device, or by installing malware on the device using a specially programmed chip card. The research have called for regulators to step up their efforts and not take processing companies' security claims for granted the article said.
For more on this topic, visit the EMV research center.