92 at the till. On first glance, Chip-and PIN seems obviously

    92 at the till. On first glance Chip-and-PIN seems obviously more

    93 more secure and this was also the central plank in the

    93 secure and improved security was also the central plank in the

    98 authorises the transactions. Although in use for a long time,

    98 authorised the transactions. Although in use for a long time,

   100 clones of credit cards and forging signatures. Chip-and-PIN,

   100 clones of credit cards and forging signatures. 

   101 as the name suggests, relies on data being stored on 

   101 

   102 a chip on the card and a PIN number for authorisation. 

   102 Chip-and-PIN, as the name suggests, relies on data being

   103 

   103 stored on a chip on the card and a PIN number for

   104 

   104 authorisation. Even though the banks involved trumpeted their

   105 Although the banks involved trumpeted their system as being

   105 system as being absolutely secure and indeed fraud rates

   106 secure and indeed fraud rates initially went down, security

   106 initially went down, security researchers were not convinced

   107 researchers were not convinced (especially the group around

   107 (especially the group around Ross Anderson). To begin with,

   108 Ross Anderson). To begin with, the Chip-and-PIN system

   108 the Chip-and-PIN system introduced a ``new player'' that

   109 introduced a ``new player'' that needed to be trusted: the PIN

   109 needed to be trusted: the PIN terminals and their

   110 terminals and their manufacturers. Of course it was claimed

   110 manufacturers. It was claimed that these terminals are

   111 that these terminals are tamper-resistant, but needless to say

   111 tamper-resistant, but needless to say this was a weak link in

   112 this was a weak link in the system, which criminals

   112 the system, which criminals successfully attacked. Some

   113 successfully attacked. Some terminals were even so skilfully  

   113 terminals were even so skilfully manipulated that they

   114 manipulated that they transmitted PIN numbers via a built-in

   114 transmitted skimmed PIN numbers via built-in mobile phone

   115 mobile phone connection. To mitigate this security flaw, you 

   115 connections. To mitigate this flaw in the security of

   116 need to vet quite closely the supply chain of such 

   116 Chip-and-PIN, you need to vet quite closely the supply chain

   117 terminals---something that also needs to be done in other 

   117 of such terminals.

   118 industries. 

   118 

   119 

   119 Later on Ross Anderson and his group managed to launch a

   120 Later on, Ross Anderson and his group managed to launch

   123 the card think that a signature was used. This flaw was

   122 the card think that a signature was used. This was a more

   124 mitigated by requiring that a link between the card and the

   123 serious security problem. The flaw was mitigated by requiring

   125 bank is established at every time the card is used. Even

   124 that a link between the card and the bank is established at

   126 later this group found another problem with Chip-and-PIN and

   125 every time the card is used. Even later this group found

   127 ATMs which do not generate random enough numbers (nonces) 

   126 another problem with Chip-and-PIN and ATMs which do not

   128 on which the security of the underlying protocols relies. 

   127 generate random enough numbers (nonces) on which the security

   128 of the underlying protocols relies. 

   131 Chip-and-PIN managed to shift the liability for any fraud and

   131 Chip-and-PIN managed with the new system to shift the

   132 the burden of proof onto the customer with the new system. In

   132 liability for any fraud and the burden of proof onto the

   133 the old system, the banks had to prove that the customer used

   133 customer. In the old system, the banks had to prove that the

   134 the card, which they often did not bother about. In effect if

   134 customer used the card, which they often did not bother with.

   135 fraud occurred the customers were either refunded fully or

   135 In effect, if fraud occurred the customers were either refunded

   136 lost only a small amount of money. This

   136 fully or lost only a small amount of money. This

   139 profits too much. Since they successfully claimed that their

   139 profits too much. 

   140 Chip-and-PIN system is secure, banks were able to point the

   140 

   141 finger at the customer when fraud occurred: it must have been

   141 Since banks managed to successfully claim that their

   142 the fault of the customer, who must have been negligent

   142 Chip-and-PIN system is secure, they were under the new system

   143 loosing the PIN. The customer had almost no means to defend

   143 able to point the finger at the customer when fraud occurred:

   144 themselves in such situations. That is why the work of

   144 they must have been negligent loosing their PIN. The customer

   145 \emph{ethical} hackers like Ross Anderson's group was so

   145 had almost no means to defend themselves in such situations.

   146 important, because they and others established that the bank's

   146 That is why the work of \emph{ethical} hackers like Ross

   147 claim, their system is secure and it must have been the

   147 Anderson's group was so important, because they and others

   148 customer's fault, was bogus. In 2009 for example the law 

   148 established that the bank's claim that their system is secure

   149 changed the burden of proof back to the banks whether

   149 and it must have been the customer's fault, was bogus. In 2009

   150 it was really the customer who used a card or not.

   150 for example the law changed and the burden of proof went back

   151 

   151 to the banks. They need to prove whether it was really the

   152 It is a classic example where a security design principle was

   152 customer who used a card or not.

   153 violated: The one who is in the position to improve security,

   153 

   154 also needs to bear the financial losses if things go wrong.

   154 This is a classic example where a security design principle

   155 Otherwise, you end up with an insecure system. In case of the

   155 was violated: Namely, the one who is in the position to

   156 Chip-and-PIN system, no good security engineer would actually

   156 improve security, also needs to bear the financial losses if

   157 think that it is secure: the specification of the EMV protocol

   157 things go wrong. Otherwise, you end up with an insecure

   158 (underlying Chip-and-PIN) is some 700 pages long, but still

   158 system. In case of the Chip-and-PIN system, no good security

   159 leaves out many things (like how to implement a good random

   159 engineer would claim that it is secure beyond reproach: the

   160 number generator). Moreover, banks can add their own

   160 specification of the EMV protocol (underlying Chip-and-PIN) is

   161 sub-protocols to it. With all the experience we already have,

   161 some 700 pages long, but still leaves out many things (like

   162 it is as clear as day that criminals were able to poke holes

   162 how to implement a good random number generator). No human

   163 into it. With how the system was set up, the banks had no

   163 being is able to scrutinise such a specification and ensure it

   164 incentive to come up with a system that is really secure.

   164 contains no flaws. Moreover, banks can add their own

   165 Getting the incentives right in favour of security is often a

   165 sub-protocols to EMV. With all the experience we already have,

   166 tricky business.

   166 it is as clear as day that criminals were eventually able to

   167 poke holes into it and measures need to be taken to address

   168 them. However, with how the system was set up, the banks had

   169 no real incentive to come up with a system that is really

   170 secure. Getting the incentives right in favour of security is

   171 often a tricky business.