A team of Cambridge computer researchers has discovered a flaw in the chip and PIN system used on most – if not all – credit and debit cards around the world.
The system is very simple and of such low sophistication that this warning should be taken very seriously by banks and credit card companies.
It works like this: the criminals take a stolen card, put it in an off-the-shelf card reader, which is in turn connected to a laptop and to a fake card. When the criminal has to make a payment, it inserts the fake card in the shop’s card reader.
The reader gets the reading from the stolen card, and when it asks for the PIN, the software on the laptop works its magic so that when any combination of numbers is entered, the result will be good.
“Essentially what it does is to exploit a flaw in the chip and pin system. It makes the terminal think the correct pin has been entered, and the card think the transaction was authorized with a signature,” says Dr Saar Drimer, one of the researchers.
The BBC reports that their journalist was permitted to try the system out in the Cambridge cafeteria. They put the hardware in a backpack, the wire connecting it with the fake card through the jacket sleeve, and the fake card in the hand. When it came time to pay, he inserted the card in the reader and entered “0000” instead of the real PIN. They tried with two different debit and credit cards – issued by Barclays, the Co-operative Bank, HSBC and John Lewis – and it worked like a charm every time!
This is not the first flaw in the chip and PIN system, but its simplicity makes it extremely dangerous.
“In practice how this attack would work is that one reasonably technically skilled person would build a device that carries out the attack and then sell this equipment on the internet just like criminals already do,” says Dr Steven Murdoch, another member of the team.
It is unknown it this kind of attack has been discovered already and used by criminals. Instances in which a card holders claims he or she hasn’t made the purchase but the transaction has been executed are not that rare, but no one can know for sure if this was the method used.
Banks and credit card companies have been warned, but they say there is little they could do for the moment. The Cambridge team is of the opinion that the banks should be forced to provide the entire trail in such transactions. They believe things should change and a upgrading of the chip and PIN system is long overdue.
“This latest revelation about chip and PIN cards has yet again called into question the confidence we can have in our banks and their attitude to our security. As we’ve seen in recent comments, banks are all trying to hide behind each other by claiming it’s an “industry issue’, so the question to be asked is: who is actually going to take responsibility for this?” asks Stephen Howes, CEO of GrIDsure.
“As we know, the banking industry is self regulated, so it can’t just bury its head in the sand especially when it’s responsible for policing its own fraud. Consumers are being forced to use a system that has been shown to be broken, and ultimately it will be consumers who suffer. The chip and PIN can no longer be considered a two factor solution and banks must consider making a wholesale change to their approach to fraud, which certainly won’t just take five minutes.”