French forensics researchers have dissected a real-world case in which criminals have outsmarted the chip-and-pin system with a seamless chip-switching trick—and pulled off the feat with a slip of plastic that’s almost indistinguishable from a normal credit card. Security experts from Tripwire have the following comments on it.
[su_note note_color=”#ffffcc” text_color=”#00000″]Ken Westin, Senior Security Analyst at Tripwire :
“As the U.S. moves to chip and PIN, many are mistaken in thinking that this will end the rash of retail breaches. Chip and PIN will not mitigate the mass exfiltration of credit cards from retailers, but instead will make card-present related fraud more difficult as it makes card counterfeit difficult. This will help to decrease the number of breaches, but simply due to less demand in underground markets for the stolen credit cards.
Even with chip and PIN many of the vulnerabilities in point-of-sale and payment systems will still remain. These criminal syndicates are also highly persistent and will continue to find vulnerabilities in these systems, including chip and PIN.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Tim Erlin, Director of Security and Product Management at Tripwire :
“Because the US is implementing the less secure ‘chip-and-signature’ instead of ‘chip-and-pin,’ this specific attack isn’t relevant in the United States.
Security researchers have had little doubt that criminals would ultimately find ways to defeat the protections EMV provides. Securing these transactions isn’t something that’s ever finished. It’s an ongoing arms race.
While this attack allows for the use of a stolen card, it doesn’t provide the ability to create counterfeit cards from stolen data, which is the primary use case against which EMV protects.”[/su_note][su_box title=”About Tripwire” style=”noise” box_color=”#336588″]Tripwire is a leading provider of advanced threat, security and compliance solutions that enable enterprises, service providers and government agencies to confidently detect, prevent and respond to cybersecurity threats. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business-context and enable security automation through enterprise integration. Tripwire’s portfolio of enterprise-class security solutions includes configuration and policy management, file integrity monitoring, vulnerability management and log intelligence.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.