Attack against EMV Terminals

The German security company SRLabs claims that that they found several vulnerabilities in popular EMV terminals, including a buffer overrun and an open JTAG. If someone manipulates the user interface of the terminal it is quite easy to steal the PIN. Such a manipulation might happen by attacking a legitimate terminal or, even more easier, by presenting a user a fake terminal. The real issue is that the PIN is used as an authentication token wherever it is input. It would be much more safer to have a personal authentication device, like a cellphone. The users need to authenticate to their device with their preferred method, and the device would authenticate to the rest of the world with a cryptographic algorithm. This assumes that the users' device is secure, bur in contrast to the present situation the user can ensure the security of a personal device.