Practical EMV PIN interception and fraud detection

Presented at 31C3 (2014), Dec. 27, 2014, 4 p.m. (60 minutes)

This talks follows our previous EMV research uncovering new findings as well as a detailed analysis of Chip & PIN fraud markers in order to benefit cardholders, as well as issuing banks, in preventing wrongful liability for fraudulent charges. The EMV global standard for electronic payments is widely used for inter-operation between chip equipped credit/debit cards, Point of Sales devices and ATMs. In 2011, our "Chip & PIN is definitely broken" presentation uncovered an EMV design flaw that, by means of chip skimmers, allows for arbitrary PIN harvesting. Since then, by consulting on EMV implementations and their behaviour under effective attacks, Inverse Path has assisted issuing banks, as well as cardholders, with successful resolution of cases involving wrongful liability for fraudulent charges. Our updated research effort identifies and verifies new interactions between previous EMV attacks, which even further affect the protection, or lack of, that EMV provides for the PIN. This presentation aims to fully empower both cardholders and issuers with an understanding of all applicable attacks, while also illustrating the relevant EMV fraud detection markers. Such information is vital to enable cardholders to request the correct and relevant information necessary to claim fraudulent charges and to enable issuers and processors to prevent fraud in the first place.

Presenters:

• Andrea Barisani
  Andrea Barisani is the founder of the security consulting firm Inverse Path and the founder and project coordinator of the Open Source Computer Security Incident Response Team (oCERT) effort. Andrea Barisani is an internationally known security researcher. Since owning his first Commodore-64 he has never stopped studying new technologies, developing unconventional attack vectors and exploring what makes things tick...and break. His experiences focus on large-scale infrastructure administration and defense, forensic analysis, penetration testing and software development, with more than 14 years of professional experience in security consulting. Being an active member of the international Open Source and security community he contributed to several projects, books and open standards. He is now the founder and coordinator of the oCERT effort, the Open Source Computer Security Incident Response Team. He has been a speaker and trainer at BlackHat, CanSecWest, DEFCON, Hack In The Box, PacSec conferences among many others, speaking about TEMPEST attacks, SatNav hacking, 0-days, OS hardening and many other topics.

Links:

• https://fahrplan.events.ccc.de/congress/2014/Fahrplan/events/6120.html

Similar Presentations:

• DEF CON 29 (2021) / PINATA: PIN Automatic Try Attack
• DEF CON 19 (2011) / Chip & PIN is Definitely Broken
• Black Hat USA 2011 / Chip & PIN is definitely broken