EMV Chip “Flaw” Misunderstanding

As someone who has looked deeply into chip card technology, I found myself a little annoyed at the recent articles that a “flaw” in EMV chip cards had been demonstrated at a recent hackers conference in Las Vegas.

Alleged EMV Flaw Stirs Debate

Despite what some news outlets reported, the hackers only demonstrated that they could hack one brand of card reader and in some cases intercept unencrypted card data.

Stay away from magnetic stripes!

The demonstration does show that if a store card reader has been compromised, your data can still be at risk.  The most common attacks try to get you to “fall back” from using the chip and swiping the card instead.

If you ever insert your chip card into a reader and it asks you to swipe the card instead, the reader may have been hacked.   Better to just pay with cash if you can.

Watch for fake pin entry screens

Another hack that was demonstrated was the ability to show a fake debit card pin entry screen on a compromised store card reader.

They managed to add an extra screen in the payment flow that asked a customer to re-enter their pin # a second time.  Most people they asked to try it assumed they had mistyped their pin the first time and re-entered the data in the fake screen.

This hack might be difficult to spot since we all mistype our pin codes occasionally. 

Might be better to ask the clerk to start over instead of using a re-entry screen when this happens.  If that second screen keeps coming up, there could be a problem with the store reader.

Could there be a flaw in the EMV chip?

If there were a flaw in the EMV chip itself I think someone would have found it in the 15 years since chip cards were first introduced in Europe.

From everything we know right now, there is no practical way to hack into a chip card and revel its hidden security keys.

In 25 years or so, some researches think that a new type of computer utilizing quantum computing power could potentially break the security keys in EMV chips and all of the security used to protect websites on the internet.

Quantum Computers are Coming and the World Might not be Ready

It’s a scary thought that we will have to completely re-think our computer security systems in the not too distant future.

Let’s just hope that our credit cards are expired by then.