Criminals Hacked Chip-and-PIN System By Perfecting Point-of-Sale Attack

An anonymous reader writes: When in 2010 a team of computer scientists at Cambridge University demonstrated how the chip and PIN system used on many modern payment cards can be bypassed by making the POS system accept any PIN as valid, the reaction of the EMVCo and the UK Cards Association was to brand the attack as "improbable." After all, the researchers used a bulky tech setup that had to be carried around in a backpack but, as it ultimately turned out, a year later an engineer based in France found a less obvious way to perform the attack.

Re:I didn't think of it means...

[Capt.Albatross]

because after they were shown that it could be done, they did nothing about it until this latest exploit threatened to make their failure general knowledge.

Wrong. It was already fixed.

If you want a good, detailed look at the story, read it on Ars:
http://arstechnica.com/tech-po...

The Ars article contains nothing to support your assertion. On the other hand, the Cambridge group that originally discovered the flaw behind the exploit report that the industry did nothing between being alerted to the problem and the publication of their paper. Instead, it attempted to dismiss the problem as impractical to exploit, even though the Cambridge group demonstrated a practical attack, presented good empirical evidence that it was being exploited in the wild, and proposed mitigating measures.

One of the team members recently wrote "What we do know with confidence is that had the banks acted to close the vulnerability immediately after we notified them, these criminals would not have been able to commit this fraud."

We have to take the industry's word for it that they have now fixed the problem, and our confidence in that claim should be weighted by its previous proclivity to dissemble. Perhaps they have just fixed the liability shift part of the problem.

https://www.cl.cam.ac.uk/resea...
https://www.benthamsgaze.org/2...