The Green Sheet Online Edition
April 14, 2014 • Issue 14:04:01
Is chip and PIN bullet proof?
I recently read about a Canadian man who is suing his bank. He claims a criminal used his account data without his knowledge to make an $80,000 purchase, and the bank won't reimburse the funds, even though the bank removed a subsequent charge of about $4,000 made by the same party. The bank won't reimburse the first charge partly because the fine print of its consumer agreement states it will credit charges made after a fraud is reported, but it says nothing about charges made before the fraud is reported.
The bank also claims it is impossible to make fraudulent charges when EMV chip and PIN are both used to make purchases. The man suing his bank insists he never wrote down his PIN, nor did he divulge it to anyone else. And he says the card never left his possession.
Is it true that when both chip and PIN are used fraud is impossible? And will the upcoming U.S. EMV liability shift make it easier for merchants and banks to shift liability to consumers?
Merchant Level Salesperson
We cannot speak to the particulars of this case, but research appears to indicate Europay/MasterCard/Visa (EMV) chip and PIN transactions are susceptible to fraud. In the paper "Chip and PIN is Broken" researchers in the Security Group at Cambridge University in Britain described a "protocol flaw which allows criminals to use a genuine card to make a payment without knowing the card's PIN, and to remain undetected even when the merchant has an online connection to the banking network. The fraudster performs a man-in-the-middle attack to trick the terminal into believing the PIN verified correctly, while telling the card that no PIN was entered at all."
We also cannot speculate regarding banks' and merchants' intentions. However, it would likely be a public relations nightmare for card issuing banks if they changed their consumer fraud protections after EMV is implemented in the United States.
Do you have thoughts on U.S. EMV implementation? Do you have other concerns of interest to payment pros? Please let us know at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.