Smartcard Fraud Detection Using Secure Onetime RANDOM Mobile Password

Abstract: EMV is the dominant protocol used for smart card payments worldwide, with over 730 million cards in circulation. Known to bank customers as ―Chip and PIN‖, it is used in Europe; EMV secures credit and debit card transactions by authenticating both the card and the customer presenting it through a combination of cryptographic authentication codes, digital signatures, and the entry of a PIN. In this paper we describe and demonstrate a protocol flaw which allows criminals to use a genuine card to make a payment without knowing the card‘s PIN, and to remain undetected even when the merchant has an online connection to the banking network. The fraudster performs a man-in- the-middle attack to trick the terminal into believing the PIN verified correctly, while telling the card that no PIN was entered at all. The paper considers how the flaws arose, why they remained unknown despite EMV‘s wide deployment for the best part of a decade, and how they might be fixed. Because we have found and validated a practical attack against the core functionality of EMV. This paper also provides the solution to detect the fraud, authentication to the genuine cardholder, transaction verification with a one time random mobile password.

Keywords: EMV, Card Fraud, ORMP, Chip and PIN