The Smart Card Alliance has reviewed the hack along with other industry organizations and concluded that widespread implementation of this attack is unlikely and that there is no evidence that the attack described has happened in the real world.


These conclusions are supported by the following points:

• The attack requires the use of a stolen EMV card that has not yet been reported as stolen; this limits the scalability of this type of fraud since it must be done with one card at a time and in a potentially short window of time.
• The combination fake card and stolen chip & PIN card cannot be used in an ATM for a cash withdrawal, as ATMs rely on an online PIN verification.
• The fraud requires using a fake chip card with wires coming out of it, running up the sleeve of the fraudster and connecting to a hidden circuit board, computer and stolen EMV card, making detection likely at an attended merchant point-of-sale.
• The attack is technically difficult, requiring highly sophisticated software and customized hardware that could only be created by individuals with extensive knowledge of EMV protocols.
• Countermeasures are already available, either in EMV, within payment system products and networks, or within issuer host systems.
• Electronic audits of data from suspected transactions would protect cardholders and merchants from responsibility for fraudulent charges made to their card with this type of attack, if reported properly.

Additionally, such an attack would not compromise the smart card as the PIN would still remain secure inside the card.