Date: Thu, 11 Feb 2010 18:29:12 -0500 =46rom: David Magda Subject: EMV busted
Seems that the EMV standard has been compromised:
"Chip and PIN is fundamentally broken," Professor Ross Anderson of
> Cambridge University told ZDNet UK. "Banks and merchants rely on the =
words
'Verified by PIN' on receipts, but they don't mean anything."
formatting link
More reports:
formatting link
formatting link
formatting link
Anderson's paper is available:
formatting link
EMV is called often called "Chip and PIN", as well as "Chip Card" in = Canada.
Some financial institutions put a lot of stock in the security of this:
You are responsible for the full amount of all authorized activity or
> other Transactions resulting from use of the Card or Connect ID and PIN=
or
Password by any person, including any entry error or fraudulent or
> worthless deposit at an ABM or other machine. You are responsible for =
the
full amount of all unauthorized activity or other Transactions which =
occur
before we receive notification that your PIN, Password or Card was lost=
or
stolen or that your Connect ID, PIN or Password may have become known =
to
an unauthorized person. On receiving such notice from you we will =
block
the Card's, PIN's or Connect ID's ability to access our services and/or
> the use of a Card or the Account.
formatting link
(column 9)
In many cases, the banks' (now no longer trust-worthy) logs are the definitive record:
Our records will be conclusive proof of use of a Card or the Account or
> electronic services and will be considered your written request to =
perform
the Transaction. Even though you may be provided with a Transaction
> receipt, verification or confirmation number, or interim statement by =
or
through an ABM or other machine, the following applies to all =
Transactions
or other activity on the Account:
> * our acceptance, count and verification of Transactions or deposits
> will be considered correct and binding unless there is an obvious error
> [...]
(Ibid.)
Some are a bit more reasonable, but if your card has been cloned (and put back in your wallet/purse), you may not notice the problem until too = late:
If someone uses your Visa Card and your PIN or your Visa Account number
> with any other security code to make unauthorized purchases or =
otherwise
obtain the benefits of your Visa Card, you will not be responsible for
> those charges provided that you (i) are able to establish to our
> reasonable satisfaction that you have taken reasonable steps to protect
> your Visa Card [...] and (ii) cooperate fully with our
> investigation. [...]
> You are not responsible for unauthorized use of your Visa Card or your
> Visa Account number in transactions in which neither a PIN nor a =
security
code is used as the cardholder verification method.
formatting link
--=20 Transmitted with recycled bits. Damnly my frank, I don't give a dear
----------