What is even more odd is that a couple of people said something to the effect of “did you know that chip and PIN has been cracked” or “what do you think about supposedly tamper-proof Chip and PIN terminals being hacked” neither of which were claims made by the researchers. After pointing out that there is nothing in EMV that requires terminals to be tamper-proof (they have to be tamper-evident, which is entirely different) and that to the best of my knowledge none of the manufacturers have claimed them to be tamper proof, I refer them to APACS. To be completely honest, I thought the APACS media response was a little flat. I would have said “since criminals have already demonstrated this attack in the field (see the notorious Shell case), these researchers seem a little behind the curve”. Sandra Quinn of APACS actually said ‘Our experts are in discussion with the manufacturers of terminals to see what can be done.’ The answer is, of course, nothing. And it has nothing to do with chip & PIN. As a class of threat, this is no different from the old ruse of putting an “out of order” sign on the bank nightsafe and pretending to be a security card. If you can persuade consumers to put their card and PIN into a box under your control, then you can skim the details.
Does it matter? Probably not. Insofar as it is a threat, it’s because the card details and PIN can be used to manufacture counterfeit magnetic stripe cards (the security of the chip isn’t compromised) and these can be used in foreign ATMs to withdraw money because “fallback” is allowed: that is, a card that doesn’t have a working chip can still be used via the magnetic stripe.
The long term solution — apart from turning off fallback — is to stop having this sort of POS terminal where the card details and customer PIN are both “known” in the same place. If I can persuade the industry to buy into my vision (in which the “smarts” and the PIN never leave the customers’ hands — because they are in the customer’s Mobile phone), even the theoretical threat will be reduced.
My opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public. [posted with ecto]