Originally Posted by
garyschmitt
No, you don't need to steal the card. The EMV card is vulnerable to MitM. You can put your card in a compromised terminal at McDonalds, enter your pin, and the whole transaction can be happening realtime somewhere else, buying a different product, for a different price. You would think you're buying a burger in london, but instead you're getting a free burger while buying diamonds for someone in Switzerland, for example.
Until we have a decent 2-factor authentication mechanism for card present transactions, all cards are vulnerable to MitM. It is not unique to EMV.
Originally Posted by
garyschmitt
EMV cards can also be cloned. It's much more difficult that cloning the magstripe of the card, but it's possible.
Source?
Originally Posted by
garyschmitt
Additionally, there are cases where PINs are not entered at all, because thieves have been able to send a false signal that claims a PIN was correctly entered even if it was not. This attack works on wireless POS terminals.
This is a flaw with the terminals, not with the EMV cards. Further, it has no impact on your liability. In fact, the existence of this problem (& one where the terminal accepted any PIN) has forced the UK banks to change their position away from customers having to prove they didn't make the transaction.