A group of researchers from Cambridge University have discovered critical flaws in chip-and-pin payment card security that can be misused to clone cards.

The researchers published a paper titled ‘Chip and Skim: Cloning EMV Cards with the Pre-Play Attack’, that shows the vulnerability of Europay, MasterCard, Visa (EMV) chip cards from an attack called "the pre-play" attack.

The paper shows that non biometric protected, current chip and pin cards, can be used without knowing the correct PIN, and that card details can be intercepted as a result of flawed tamper-protection.

The Cambridge team also said that that it is possible to create clone EMV chip cards which normal bank procedures will not be able to distinguish from the real card.

The second issue that they have discovered is a protocol failure that would allow malware in an ATM or POS terminal, or a man-in-the-middle between the terminal and the acquirer, to carry out the pre-play attack, just by replacing the random generated number with one chosen by the attacker.

These flaws have been discovered over two years ago, and bank industry organizations have been informed in early 2012. In the meantime, only the first flaw has been addressed.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.