Examining Users’ Understanding of Security Failures in EMV Smart Card Payment Systems

Akeem Olowolayemo - University Malaysia Sarawak, Kuching, Malaysia
Nafisat Adewale - International Islamic University Malaysia, Kuala Lumpur, Malaysia
Akram M. Zeki - International Islamic University Malaysia, Kuala Lumpur, Malaysia
Zubair Ahmad - International Islamic University Malaysia, Kuala Lumpur, Malaysia


Citation Format:



DOI: http://dx.doi.org/10.30630/joiv.3.2.244

Abstract


New credit cards containing Europay, MasterCard and Visa (EMV) chips for enhanced security, and for in-store purchases (rather than online purchases) have been adopted considerably in recent years. EMV supposedly protects the payment cards in such a way that the computer chips in a card referred to as chip-and-pin cards generate a unique one-time code each time the card is used.  The one-time code is designed such that if it is copied or stolen from the merchant system or from the system terminal, it cannot be useful for creating a counterfeit copy of that card or counterfeit chip of the transaction. However, in spite of this design, EMV technology is not entirely foolproof from failure. This paper dis-cusses the issues, failures and fraudulent cases associated with EMV Chip-And-Card technology. The work also evaluates people’s understanding of these issues and the consequential precautions they take to safeguard their information while using the EMV cards for transactions.

Keywords


Chip and PIN Card Fraud; Card Security; Protocol Failure, Card Authentication, Users’ perceptions, Payment Risks, Awareness.

Full Text:

PDF

References


Anderson, R., Bond, M., & Murdoch, S. J. (2007). Chip and spin. Infosecurity, 4(8), 38–40. https://doi.org/10.1016/S1754-4548(07)70204-8

Barisani, A., Bianco, D., & Laurie, A. (2011). Chip & PIN is definitely broken - Credit Card skimming and PIN harvesting in an EMV world. In Defcon 2011.

Bond, M., Choudary, O., Murdoch, S. J., Skorobogatov, S., & Anderson, R. (2014). Chip and skim: Cloning EMV cards with the pre-play attack. In Proceedings - IEEE Symposium on Security and Privacy (pp. 49–64). https://doi.org/10.1109/SP.2014.11

Degabriele, J. P., Lehmann, A., Paterson, K. G., Smart, N. P., & Strefler, M. (2012). On the Joint Security of Encryption and Signature in EMV BT - Topics in Cryptology – CT-RSA 2012: The Cryptographers’ Track at the RSA Conference 2012, San Francisco, CA, USA, February 27 – March 2, 2012. Proceedings. In O. Dunkelman (Ed.), Lecture Notes in Computer Science (LNCS) (pp. 116–135). Berlin, Heidelberg: Springer Berlin Heidelberg. https://doi.org/10.1007/978-3-642-27954-6_8

Drimer, S., & Murdoch, S. J. (2007). Keep your enemies close: Distance bounding against smartcard relay attacks. USENIX Security Symposium, 7. Retrieved from http://dl.acm.org/citation.cfm?id=1362910

Drimer, S., Murdoch, S. J., & Anderson, R. (2008). Thinking inside the box: System-level failures of tamper proofing. In Proceedings - IEEE Symposium on Security and Privacy (pp. 281–295). https://doi.org/10.1109/SP.2008.16

EMVCo. (2011a). Integrated Circuit Card Specifications for Payment Systems, Book 3: Application Specification. EMV Integrated Circuit Card Specifications for Payment Systems. Retrieved from http://www.emvco.com/specifications.aspx?id=223

EMVCo, L. (2011b). EMV – Integrated Circuit Card Specifications for Payment Systems, Book 4: Cardholder, Attendant, and Acquirer Interface Requirements, Version 4.2 ed. EMV2011, Dec, 4(November). Retrieved from http://scholar.google.com/scholar?hl=en&btnG=Search&q=intitle:Integrated+Circuit+Card+Specifications+for+Payment+Systems#1

Francis, L., Hancke, G., Mayes, K., & Markantonakis, K. (2012). Practical relay attack on contactless transactions by using NFC mobile phones. Cryptology and Information Security Series, 8, 21–32. https://doi.org/10.3233/978-1-61499-143-4-21

Gray, D., & Ladig, J. (2015). The Implementation of EMV Chip Card Technology to Improve Cyber Security Accelerates in the U.S. Following Target Corporation’s Data Breach. International Journal of Business Administration, 6(2), 60–67. https://doi.org/10.5430/ijba.v6n2p60

Murdoch, S. J. (2009). Reliability of Chip & PIN evidence in banking disputes. Digital Evidence and Electronic Signature Law Review, 6, 98–115. https://doi.org/10.14296/deeslr.v6i0.1862

Murdoch, S. J. (2015). Banks undermine chip and PIN security because they see profits rise faster than fraud.

Murdoch, S. J., Drimer, S., Anderson, R., & Bond, M. (2010). Chip and PIN is broken. In Proceedings - IEEE Symposium on Security and Privacy (pp. 433–446). https://doi.org/10.1109/SP.2010.33

Murdoch, S. J., Drimer, S., Anderson, R., & Bond, M. (2013). EMV PIN verification “ wedge †vulnerability.

Ruiter, J. De, & Poll, E. (2012). Formal Analysis of the EMV Protocol Suite, 113–129.

The U K Cards Association. (2012). Card Expenditure Statistics. January.

The UK Cards Association. (2009). Standard 70, Book 2 – Card Acceptor to Acquirer Interface Standards: Messages, Data Elements and Code Values for Real-time Systems.