Chip & sPIN - more musings on the security front...

My recent diatribes against the delights of Chip & sPIN in recent weeks have gone down well in some circles, so I was interested to hear about Cameron Olsen, vice president of business development with Smart Technology Solutions, who claims there is "no evidence" that Chip & PIN technology has been cracked.

"Yes, the UK does use Static Data Authentication (SDA) cards, however there will be a move towards Dynamic Data Authentication (DDA) at some point, which will provide more security," he said, adding that the UK banks are now paying some of the price for going with SDA rather than DDA cards when they were rolling out chip & sPIN.

According to Olsen, the major flaw with cards at the moment is the fact that there is legacy magnetic-stripes technology on all the cards.

This technology, he argues, is exceptionally insecure and there needs to be a strong push to do away with the legacy system.

The fraud cases highlighted by in the news recently, he says, are more than likely to be magnetic-stripe fraud-based.

The problem with chip cards, he argues, is that when the chip is damaged, the EFTPOS reader falls back onto the mag stripe technology.

Hmmm. I have my doubts Mr Olsen. Although it's inappropriate to reveal how it all works, the PIN on UK Chip & sPIN cards is actually stored on the chip on the card, rather than on the network.

This means that a Chip and sPIN card can operate in offline mode, with the terminal comparing the input from the terminal's PINpad to the PIN held on the card, and `authorising' the transaction as appropriate.

If the chip can be interrogated for the purposes of comparison, then the PIN can be extracted from the chip. After that, the user's card can be used at almost any ATM or retailer until the account runs dry...