Now that EMV cards are more prevalent, there have been several articles published revealing gaps that are being discovered in EMV’s security and what is being done to patch these up. One example was reported by U.K. based, The Register, which found that Mastercard has altered their specifications to protect against relay attacks that can occur with contactless payments.
A relay attack is described as such:
Shoppers attempting to use fake terminals to make purchases might unwittingly allow scammers to hijack details and make fraudulent purchases using counterfeit cards at another shop. Card identity codes would be sent wirelessly from crooks running fake terminals to accomplices buying goods so that fake cards are accepted as genuine. The PIN is then sent from the fake terminal to the accomplice so fraudulent purchases can be authorized.
The article adds that it is unknown if this type of rather sophisticated fraud has been used much, if ever, but as the industry is getting smarter about fraud prevention, thieves are going to be upping their game as well. This type of fraud might be more appealing in the future.
Relay attacks were first demonstrated nine years ago by a team of computer scientists Saar Drimer and Steven Murdoch.
The pair also suggested how the security flaw can be mitigated using a technique called distance bounding). Mastercard has taken up this defense, meaning its cards (at least) are protected.
“Finally the banks are now implementing this defense, though only for contactless cards (as they are more vulnerable than the contact Chip and PIN cards that were available in 2007), and so far only for MasterCard cards,” Murdoch told El Reg.
Overview by Sarah Grotta, Director, Debit Advisory Service at Mercator Advisory Group
Read the full story here