Browse Prior Art Database

Chip & PIN is definitely Broken Disclosure Number: IPCOM000244621D
Original Publication Date: 2011-Jan-01
Included in the Prior Art Database: 2015-Dec-30
Document File: 44 page(s) / 2M

Publishing Venue



This document investigates the use of card skimmers for EMV

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 16% of the total text.

Page 01 of 44

   Chip & PIN is definitely broken Credit Card skimming and PIN harvesting in an EMV world

Andrea Barisani

Daniele Bianco

Adam Laurie

Zac Franken

 Copyright 2011 Inverse Path S.r.l.

Chip & PIN is definitely broken ­ v1.4

Page 02 of 44

What is EMV?

EMV stands for Europay, MasterCard and VISA, the global standard for inter-operation of integrated circuit cards (IC cards or "chip cards") and IC card capable point of sale (POS) terminals and automated teller machines (ATMs), for authenticating credit and debit card transactions.

IC card systems based on EMV are being phased in across the world, under names such as "IC Credit" and "Chip and PIN".

Source: Wikipedia

 Copyright 2011 Inverse Path S.r.l.

Chip & PIN is definitely broken ­ v1.4

Page 03 of 44

Why EMV?

ICC / smartcard

improved security over existing magnetic stripe technology

"offline" card verification and transaction approval

multiple applications on one card

 Copyright 2011 Inverse Path S.r.l.

Chip & PIN is definitely broken ­ v1.4

Page 04 of 44

Liability shift

liability shifts away from the merchant to the bank in most cases (though if merchant does not roll EMV then liability explicitly shifts to it)

however the cardholders are assumed to be liable unless they can unquestionably prove they were not present for the transaction, did not authorize the transaction, and did not inadvertently assist the transaction through PIN disclosure

PIN verification, with the help of EMV, increasingly becomes "proof" of cardholder presence

 Copyright 2011 Inverse Path S.r.l.

Chip & PIN is definitely broken ­ v1.4

Page 05 of 44

Liability shift

VISA Zero Liability fine print (US):

Does not apply to ATM transactions, PIN transactions not processed by Visa, or certain commercial card transactions. Individual provisional credit amounts are provided on a provisional basis and may be withheld, delayed, limited, or rescinded by your issuer based on factors such as gross negligence or fraud, delay in reporting unauthorized use, investigation and verification of claim and account standing and history. You must notify your financial institution immediately of any unauthorized use. Transaction at issue must be posted to your account before provisional credit may be issued. For specific restrictions, limitations and other details, please consult your issuer.

 Copyright 2011 Inverse Path S.r.l.

Chip & PIN is definitely broken ­ v1.4

Page 06 of 44

Liability shift

Canadian Imperial Bank of Commerce (CIBC) spokesman Rob McLeod said in relation to a $81,276 fraud case: "our records show that this was a chip-and-PIN transaction. This means [the customer] personal card and personal PIN number were used in carrying out this transaction. As a result, [the customer] is liable for the transaction."

The Globe and Mail, 14 Jun 2011

 Copyright 2011 Inverse Path S.r.l.

Chip & PIN is definitely broken ­ v1.4