European criminals cannibalized stolen EMV cards, combining clipped smartcard chips with miniature microprocessors to construct fake payment cards that defeated point-of-sale security checks, enabling them to commit as much as 600,000 euros ($680,000) in fraud.

While that fraud occurred in 2011 and attack countermeasures were thereafter put in place by the card industry, details of the EMV-defeating fraud spree have only now come to light in a newly released research paper. The report, “When Organized Crime Applies Academic Results: A Forensic Analysis of an In-Card Listening Device,” was published by four researchers from the computer science department at the École Normale Supérieure in Paris and the Centre Microélectronique de Provence in the south of France.

Their discoveries are further proof that, from a security standpoint, despite what card issuers might claim, the EMV protocol is not foolproof, says University of Surrey computer science professor Alan Woodward. “This particular attack no longer works as it was ‘fixed,’ but I have to say experience shows that where there is one [attack], there will be others.”

continue reading »