Chip and PIN is Broken
Steven J. Murdoch, Saar Drimer, Ross Anderson, Mike Bond
University of Cambridge
Computer Laboratory
Cambridge, UK
http://www.cl.cam.ac.uk/users/{sjm217,sd410,rja14,mkb23}
Abstract—EMV is the dominant protocol used for smart card
payments worldwide, with over 730 million cards in circulation.
Known to bank customers as “Chip and PIN”, it is used in
Europe; it is being introduced in Canada; and there is pressure
from banks to introduce it in the USA too. EMV secures
credit and debit card transactions by authenticating both the
card and the customer presenting it through a combination of
cryptographic authentication codes, digital signatures, and the
entry of a PIN. In this paper we describe and demonstrate a
protocol flaw which allows criminals to use a genuine card
to make a payment without knowing the card’s PIN, and
to remain undetected even when the merchant has an online
connection to the banking network. The fraudster performs a
man-in-the-middle attack to trick the terminal into believing
the PIN verified correctly, while telling the card that no PIN
was entered at all. The paper considers how the flaws arose,
why they remained unknown despite EMV’s wide deployment
for the best part of a decade, and how they might be fixed.
Because we have found and validated a practical attack against
the core functionality of EMV, we conclude that the protocol
is broken. This failure is significant in the field of protocol
design, and also has important public policy implications,
in light of growing reports of fraud on stolen EMV cards.
Frequently, banks deny such fraud victims a refund, asserting
that a card cannot be used without the correct PIN, and
concluding that the customer must be grossly negligent or lying.
Our attack can explain a number of these cases, and exposes
the need for further research to bridge the gap between the
theoretical and practical security of bank payment systems. It
also demonstrates the need for the next version of EMV to be
engineered properly.
Keywords-EMV; Chip and PIN; card fraud; bank security;
protocol failure; security economics; authentication
I. INTRODUCTION
Smart cards have gradually replaced magnetic strip cards
for point-of-sale and ATM transactions in many countries.
The leading system, EMV [1], [2], [3], [4] (named after
Europay, MasterCard, and Visa), has been deployed throughout
most of Europe, and is currently being rolled out in
Canada. As of early 2008, there were over 730 million EMVcompliant
smart cards in circulation worldwide [5]. In EMV,
customers authorize a credit or debit card transaction by
inserting their card and entering a PIN into a point-of-sale
terminal; the PIN is typically verified by the smart card chip,
which is in turn authenticated to the terminal by a digital
certificate. The transaction details are also authenticated by
a cryptographic message authentication code (MAC), using
Year
Losses (£m)
2004 2005 2006 2007 2008
Total (£m) 563.1 503 491.2 591.4 704.3
0 50 100 150 200 250 300
Card?not?present
Counterfeit
Lost and stolen
ID theft
Mail non?receipt
Online banking
Cheque fraud
Chip & PIN deployment period
Figure 1. Fraud statistics on UK-issued cards [6]
a symmetric key shared between the payment card and the
bank that issued the card to the customer (the issuer).
EMV was heavily promoted under the “Chip and PIN”
brand during its national rollout in the UK. The technology
was advertised as a solution to increasing card fraud: a chip
to prevent card counterfeiting, and a PIN to prevent abuse
of stolen cards. Since its introduction in the UK the fraud
landscape has changed significantly: lost and stolen card
fraud is down, and counterfeit card fraud experienced a two
year lull. But no type of fraud has been eliminated, and the
overall fraud levels have actually risen (see Figure 1). The
likely explanation for this is that EMV has simply moved
fraud, not eliminated it.
One goal of EMV was to externalise the costs of dispute
from the issuing bank, in that if a disputed transaction
has been authorised by a manuscript signature, it would be
charged to the merchant, while if it had been authorised by a
PIN then it would be charged to the customer. The net effect
is that the banking industry, which was responsible for the
design of the system, carries less liability for the fraud. The
industry describes this as a ‘liability shift’.
Security economics teaches us that such arrangements
create “moral hazard,” by insulating banks from the risk
of their poor system design, so it is no surprise when such
plans go awry. Several papers have documented technical
attacks on EMV. However, it is now so deeply entrenched
that changes can be very hard to make.
Steven J. Murdoch, Saar Drimer, Ross Anderson, Mike Bond
University of Cambridge
Computer Laboratory
Cambridge, UK
http://www.cl.cam.ac.uk/users/{sjm217,sd410,rja14,mkb23}
Abstract—EMV is the dominant protocol used for smart card
payments worldwide, with over 730 million cards in circulation.
Known to bank customers as “Chip and PIN”, it is used in
Europe; it is being introduced in Canada; and there is pressure
from banks to introduce it in the USA too. EMV secures
credit and debit card transactions by authenticating both the
card and the customer presenting it through a combination of
cryptographic authentication codes, digital signatures, and the
entry of a PIN. In this paper we describe and demonstrate a
protocol flaw which allows criminals to use a genuine card
to make a payment without knowing the card’s PIN, and
to remain undetected even when the merchant has an online
connection to the banking network. The fraudster performs a
man-in-the-middle attack to trick the terminal into believing
the PIN verified correctly, while telling the card that no PIN
was entered at all. The paper considers how the flaws arose,
why they remained unknown despite EMV’s wide deployment
for the best part of a decade, and how they might be fixed.
Because we have found and validated a practical attack against
the core functionality of EMV, we conclude that the protocol
is broken. This failure is significant in the field of protocol
design, and also has important public policy implications,
in light of growing reports of fraud on stolen EMV cards.
Frequently, banks deny such fraud victims a refund, asserting
that a card cannot be used without the correct PIN, and
concluding that the customer must be grossly negligent or lying.
Our attack can explain a number of these cases, and exposes
the need for further research to bridge the gap between the
theoretical and practical security of bank payment systems. It
also demonstrates the need for the next version of EMV to be
engineered properly.
Keywords-EMV; Chip and PIN; card fraud; bank security;
protocol failure; security economics; authentication
I. INTRODUCTION
Smart cards have gradually replaced magnetic strip cards
for point-of-sale and ATM transactions in many countries.
The leading system, EMV [1], [2], [3], [4] (named after
Europay, MasterCard, and Visa), has been deployed throughout
most of Europe, and is currently being rolled out in
Canada. As of early 2008, there were over 730 million EMVcompliant
smart cards in circulation worldwide [5]. In EMV,
customers authorize a credit or debit card transaction by
inserting their card and entering a PIN into a point-of-sale
terminal; the PIN is typically verified by the smart card chip,
which is in turn authenticated to the terminal by a digital
certificate. The transaction details are also authenticated by
a cryptographic message authentication code (MAC), using
Year
Losses (£m)
2004 2005 2006 2007 2008
Total (£m) 563.1 503 491.2 591.4 704.3
0 50 100 150 200 250 300
Card?not?present
Counterfeit
Lost and stolen
ID theft
Mail non?receipt
Online banking
Cheque fraud
Chip & PIN deployment period
Figure 1. Fraud statistics on UK-issued cards [6]
a symmetric key shared between the payment card and the
bank that issued the card to the customer (the issuer).
EMV was heavily promoted under the “Chip and PIN”
brand during its national rollout in the UK. The technology
was advertised as a solution to increasing card fraud: a chip
to prevent card counterfeiting, and a PIN to prevent abuse
of stolen cards. Since its introduction in the UK the fraud
landscape has changed significantly: lost and stolen card
fraud is down, and counterfeit card fraud experienced a two
year lull. But no type of fraud has been eliminated, and the
overall fraud levels have actually risen (see Figure 1). The
likely explanation for this is that EMV has simply moved
fraud, not eliminated it.
One goal of EMV was to externalise the costs of dispute
from the issuing bank, in that if a disputed transaction
has been authorised by a manuscript signature, it would be
charged to the merchant, while if it had been authorised by a
PIN then it would be charged to the customer. The net effect
is that the banking industry, which was responsible for the
design of the system, carries less liability for the fraud. The
industry describes this as a ‘liability shift’.
Security economics teaches us that such arrangements
create “moral hazard,” by insulating banks from the risk
of their poor system design, so it is no surprise when such
plans go awry. Several papers have documented technical
attacks on EMV. However, it is now so deeply entrenched
that changes can be very hard to make.