Card Providers Say There's Nothing To Fear From Chip And Pin Hack

As expected, the organisation representing credit and debit card providers was quick to quell fears that the discovery of a potentially game-changing vulnerability in the card system that could allow criminals to make purchases without even knowing the card's PIN.

The UK Cards Association dismissed the threat that it considers to be theoretical and said in a statement that "[this complicated method] requires possession of a customer's card and unfortunately there are much simpler ways to commit fraud under these circumstances at much less risk to the criminal. This fraud is also detectable by the industry's systems."

The weakness is found in the so-called EMV (Eurocard, Mastercard and Visa) protocol and was carried out using a card reader, a first-generation Asus EEE PC 701 netbook, a specially designed FCPGA board and a the Chip and Pin device.

The "man in the middle attack" essentially tricks the terminal into thinking that the correct pin has been entered while the card is fooled into thinking that the transactionw as authorised with a signature.

Worryingly, the receipt printed out will carry the words "verified by PIN" which means that the financial institution (the bank or card issuer) will say that the transaction was a valid one.

However, it raises a significant issue for users, as Professor Ross Andersson highlights. Banks could (and have) decline refunds simply on the basis that their PIN has been used so that the onus is on the customer, not the bank.

Our Comments

The Cambridge researchers have already said that they are working on a remote control-size device that could be carried in one's pocket rather than the four separate devices needed. The BBC has also produced a film that shows how the attack is actually carried out.

Related Links

Chip and Pin fraud claims dismissed

(Pocket-lint)

PIN check in EMV protocol for EC and credit cards bypassed

(Gadgetell)

New flaws in chip and pin system revealed

(T3)

Can chip and PIN be fixed?

(9to5)