PIN OK Attack

The group of attacks on EMV/chip card present transactions. The idea is to bypass PIN checks using the "Offline PIN" cardholder verification methods. In order to do so, hackers need to implement the man-in-the-middle attack which will tamper the response from the card from "63c2" (PIN verification failed, 2 tries left) to "9000" (PIN was correct). After that the terminal will request an online cryptogram and the card will provide it.

Links:

• https://www.cl.cam.ac.uk/research/security/banking/nopin/oakland10chipbroken.pdf - the original research "Chip and PIN is broken", was carried at Cambridge university in 2010.

• https://www.defcon.org/images/defcon-19/dc-19-presentations/Barisani-Bianco-Laurie-Franken/DEFCON-19-Barisani-Bianco-Laurie-Franken.pdf
  https://dev.inversepath.com/download/emv/emv_2014.pdf - later in 2011 and 2014 Aperture Labs and Inverse Path published "Chip and PIN is definitely broken" to elaborate more technical details on the original research.

• https://www.cl.cam.ac.uk/~osc22/docs/mphil_acs_osc22.pdf - the original wedge device that was created by Omar Choudary

• https://eprint.iacr.org/2015/963.pdf - actual PIN OK attack that took place in 2011 in France

• https://www.isg.rhul.ac.uk/~psai074/publications/EMV_Joint_Sec.pdf - A bit of variation of the original attack, attacking RSA with Padding Oracle

• https://www.kommersant.ru/doc/3657121?query=%D0%A7%D0%B8%D0%BF
  https://www.hindustantimes.com/mumbai-news/chip-card-cloning-woman-doesn-t-share-pin-still-loses-rs40-000/story-HI3jmwyJMlwiUnOWXK5xWM.html
  https://www.theglobeandmail.com/globe-investor/personal-finance/customer-sues-cibc-over-purchase-of-81276-car/article583383/ - Many fraudulent cases have similar fingerprints with no strict evidence