The body that oversees the technology behind chip-based payment cards is to investigate chip-and-PIN security, following claims that the protocol has been broken.
The specification body, EMVCo, said it will analyse a paper by researchers from Cambridge University, who demonstrated an attack with a valid payment card that did not require a valid PIN to be entered to complete a transaction.
EMVCo, owned by American Express, JCB, MasterCard and Visa, said those debit- and credit-card payment companies will also scrutinise the paper.
"EMVCo will conduct its own analysis and draw its own conclusions," said the organisation on Wednesday. "The payment systems will do the same."
Last week researchers from Cambridge University said they had found a fundamental flaw in EMV, the protocol behind chip-and-PIN payments. The flaw had allowed them to build a device that modified and intercepted communications between a card and a point-of-sale terminal, and fool the terminal into accepting that a PIN verification had succeeded.
MasterCard confirmed that it would be working with the other card-payment providers to review security around chip-and-PIN, but said this was part of an ongoing process.
"The EMV standard is under constant review by MasterCard and many other major industry players to make sure it evolves to meet emerging product needs," said MasterCard. "These efforts include a frequent and regular review of security to make sure the latest, practical mechanisms are used."
Professor Ross Anderson of Cambridge University, who led the chip-and-PIN research, said there would be no easy fix for the protocol.
"There is much disagreement about [effective] industry measures to fix the vulnerability," said Anderson. "If you look at our blog post [publicising the vulnerability], a significant number of people who claim to be industry experts disagree."
One of the researchers' assertions in their paper, Chip and PIN is Broken, was that the consumer would bear the cost of a fraudulent card transaction if records showed a PIN had been entered into a terminal.
However, UK Payments Administration, which acts in an advisory capacity to card-payment providers, argued that the attack was detectable, and said it would therefore be possible to establish whether the consumer was liable or if fraud had occurred.
"The forensic signature of the attack can be seen if one examines three data elements present in both an authorisation request and in the subsequent settlement record received by the card issuer," the organisation said.
In the attack outlined by the researchers — known as a 'wedge attack' — the terminal is duped by a device inserted into the middle of the payment-verification process. As a result, the terminal believes a PIN has been verified by the card. However, the terminal will not record that a valid PIN was entered, only that a PIN was not needed, and the transaction becomes classed as an offline or signature verification. In that case, liability for the loss would not rest on the customer, UK Payments said.
In response to UK Payments's comments, Anderson said that, in practice, banks would still argue customers were liable. He pointed to a legal dispute between Halifax customer Alain Job and his bank, in which Job claimed Halifax destroyed records of authenticated data in disputed transactions.
Anderson said that in the scenario put forward by UK Payments, the fraud was detectable only after the fact and not during the process. He added that systems for detecting that fraud did not appear to be automatic, putting the onus on the customer to request a forensic examination of their transactions if they suspected fraud had taken place.
In the case of the Cambridge research, in which one of the team used his own Halifax bank card to make a transaction without a PIN, that researcher had not been alerted to the transaction by his bank, according to Anderson.
"The point is, the fraud hasn't been detected," Anderson said. "Halifax was one of the cards we wedged, and the bank still hasn't picked up the fact of those transactions."
Anderson said it is possible for banks to write software that would stop the attack described by his research team. It would be necessary to compare the different parts of the transaction process to see whether the means of authentication was robust, he added.
Talkback
I am watching this story unfold with interest. This is probably as devestating as if PayPal were to (** note hypothetical) announce that their system has had a fatal programming flaw all along.