Chip & PIN is definitely broken

Black Hat USA 2011

Presented by: Andrea Barisani, Daniele Bianco, Zac Franken, Adam Laurie
Date: Thursday August 04, 2011
Time: 16:45 - 18:00
Location: Pompeian
Track: Expanding Complexity

Credit Card skimming and PIN harvesting in an EMV world. We analyze the practicality of credit card information skimming, cloning and PIN harvesting on Chip & PIN enabled POS terminals. We intentionally ignore Magstripe skimming (which is still effective and widely used) and focus on the chip interface.

Adam Laurie

Adam Laurie is a freelance security consultant working the in the field of electronic communications. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. He quickly became interested in the underlying network and data protocols, and moved his attention to those areas and away from programming, starting a data conversion company which rapidly grew to become Europe's largest specialist in that field (A.L. Downloading Services). During this period, he successfully disproved the industry lie that music CDs could not be read by computers, and wrote the world's first CD ripper, 'CDGRAB'. At this point, he and his brother Ben became interested in the newly emerging concept of 'The Internet', and were involved in various early open source projects, the most well known of which is probably their own—'Apache-SSL'—which went on to become the de-facto standard secure web server. Since the late Nineties they have focused their attention on security, and have been the authors of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of re-using military data centres (housed in underground nuclear bunkers) as secure hosting facilities. Adam has been a senior member of staff at DEFCON since 1997, and also acted as a member of staff during the early years of the Black Hat Briefings, and is a member of the Bluetooth SIG Security Experts Group and speaks regularly on the international conference circuit on matters concerning Bluetooth security. He has also given presentations on forensics, magnetic stripe technology, InfraRed and RFID. He is the author and maintainer of the open source python RFID exploration library 'RFIDIOt', which can be found at http://rfidiot.org. He now works full time for the security research company Aperture Labs Ltd. which he co-founded.

Zac Franken

Zac Franken is based in the UK with over 20 years of computing and security experience. At present he is researching physical access control systems. He started work back in '87 as a Unix Systems Administrator and founded of one of the UK's top Internet development shops in '94. His work has been quoted in international press and he is a frequent speaker at security conferences. Zac has been Operations Director for DefCon so long that he can no longer be officially considered sane.

Andrea Barisani

Andrea Barisani is an internationally known security researcher. Since owning his first Commodore-64 he has never stopped studying new technologies, developing unconventional attack vectors and exploring what makes things tick...and break. His experiences focus on large-scale infrastructure administration and defense, forensic analysis, penetration testing and software development, with more than 10 years of professional experience in security consulting. Being an active member of the international Open Source and security community he contributed to several projects, books and open standards. He is now the founder and coordinator of the oCERT effort, the Open Source Computer Emergency Response Team. He has been a speaker and trainer at BlackHat, CanSecWest, DEFCON, Hack In The Box, PacSec conferences among many others, speaking about TEMPEST attacks, SatNav hacking, 0-days, OS hardening and many other topics.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats