Last month I explained why I don’t like credit card chip and PIN technology, which are all the rage in Europe and which many consumers in the U.S. are anxious to get their hands on either because it will help them at unmanned kiosks across the Pond or because they’re just so darned cool.
Today Bruce Schneier notes the security vulnerabilities.
You see, an EMV payment card authenticates itself with a MAC of transaction data, for which the freshly generated component is the unpredictable number (UN). If you can predict it, you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location. You can as good as clone the chip. It’s called a “pre-play” attack. Just like most vulnerabilities we find these days some in industry already knew about it but covered it up; we have indications the crooks know about this too, and we believe it explains a good portion of the unsolved phantom withdrawal cases reported to us for which we had until recently no explanation.
For those so inclined, I list four cards you can get as CHIP and PIN. They’re not great otherwise, however.
In my own case, I have a Diners Club card which is now chip and PIN. But they aren’t currently taking applications for new cardmembers.