Skip to main content

Researchers reveal chip-and-pin payment vulnerability

Cambridge University researchers recently discovered a vulnerability in the chip-and-pin payment method, which is popular in Europe and Asia.

In a new paper, Cambridge University researchers found that the cards can be easily cloned, despite the fact that that's the very type of fraud the system was meant to prevent.

As noted by the BBC, the study blamed the flaw on poor implementation of cryptography methods, and accused some banks of systematically suppressing information about the vulnerabilities.

"Again and again, customers have complained of fraud and been told by the banks that as EMV [chip-and-pin payment] is secure, they must be mistaken or lying when they dispute card transactions," the paper said. "Again and again, the banks have turned out to be wrong."

In response to the new findings, the UK's Financial Fraud Action told the BBC that it had never claimed that chip-and-pin is 100 per cent secure, "and the industry has successfully adopted a multi-layered approach to detecting any newly identified types of fraud," a spokeswoman said.

Cambridge researchers pointed to a number of vulnerabilities that have been exploited by criminals.

"We report the shocking fact that many ATMs and point-of-sale terminals have seriously defective random number generators," the paper said.

Still, the Financial Fraud Action spokeswoman explained that this type of fraud would take considerable effort to set up, and involves a series of activities, "each of which carries a certain risk of detection and failure for the fraudster."

Despite being in almost universal use in Europe for 10 years, with more than a billion cards in issue, the method is just not gaining what the researchers called proper scrutiny from academics, media, and the industry.