@InProceedings{ABCLx06,
  author = 	 { Ben Adida and Mike Bond and Jolyon Clulow and Amerson Lin and Steven Murdoch and Ross Anderson
                   and Ron[ald L.] Rivest },
  pages = 	 { 40--48 },
  doi =          { 10.1007/978-3-642-04904-0_7 },                  
  title = 	 { Phish and Chips --- Traditional and New Recipes for Attacking {EMV} },
  booktitle =    { Revised Selected Papers from Fourteenth International Workshop on Security Protocols },
  isbn =         { 978-3-642-04903-3 },
  editor =       { Bruce Christianson and Bruno Crispo and James Malcolm and Michael Roe },                  
  date =         { 2006 },                  
  OPTyear = 	 { 2006 },
  OPTmonth = 	 { March 27--29, },
  publisher =    { Springer },
  series = 	 { Lecture Notes in Computer Science },
  volume = 	 { 5087 },
  eventtitle =   { SPW'06 },
  eventdate =    { 2006-03-27/2006-03-29 },
  venue =        { Cambridge, UK },                  
  abstract =     {
         This paper surveys existing and new security issues affecting the EMV electronic payments
         protocol. We first introduce a new price/effort point for the cost of deploying eavesdropping
         and relay attacks --- a microcontroller-based interceptor costing less than \$100.   We look
         next at EMV protocol failures in the back-end security API, where we describe two new attacks
         based on chosen-plaintext CBC weaknesses, and on key separation failues. We then consider
         future modes of attack, specifically looking at combining the phenomenon of phishing
         (sending unsolicited messages by email, post or phone to trick users into divulging their
         account details) with chip card sabotage. Our proposed attacks exploit covert channels
         through the payments network to allow sabotaged cards to signal back their PINS. We hope
         these new recipes will enliven the debate about the pros and cons of Chip and PIN at both
         technical and commercial levels.
                  },
}