Cambridge researchers show Chip and PIN system vulnerable to fraud

Feb 11, 2010
Cambridge researchers show Chip and PIN system vulnerable to fraud

(PhysOrg.com) -- Researchers at the University of Cambridge Computer Laboratory have uncovered flaws in the Chip and PIN system that allow criminals to use stolen credit and debit cards without knowing the correct PIN.

Fraudsters can easily insert a "wedge" between the stolen card and terminal, which tricks the terminal into believing that the PIN was correctly verified. In fact, the fraudster can enter any PIN, and the transaction will be accepted, Steven Murdoch, Saar Drimer, Ross Anderson and Mike Bond have found.

According to Dr Murdoch: "We have tested this attack against cards issued by most major UK banks. All have been found to be vulnerable."

Victims of this attack may have a difficult time being refunded by their bank. The receipt produced will state "Verified by PIN", and bank records will show that the correct PIN was used. Banks may then argue that the customer must have been negligent and had allowed the criminal to know their PIN.

Dr Drimer says: "The technical sophistication for carrying out this attack is low, and the compact equipment will not be noticed by shop staff. A single criminal can develop and industrialise a kit to be used by others who do not need to understand how the attack works."

The Cambridge attacks - being broadcast on BBC Two's Newsnight - call into question both the design of the Chip and PIN system, and the security of card payments. Victims of fraud are commonly told that bank systems can be relied upon. However, this attack shows that criminals are able to not only defraud customers, but cause bank systems to make the false assertion that the PIN was verified correctly.

Professor Anderson says: "Over the past five years, thousands of cardholders have had stolen chip and PIN cards used by criminals. The banks often tell customers that their PIN was used and so it's their fault. Yet we've shown that it's easy to use a card without knowing the PIN - and the receipt will say the transaction was 'verified by PIN' even though it wasn't."

"This is not just a failure of bank technology. It's a failure of bank regulation. The ombudsman supported the banks and the regulators have refused to do anything. They were just too eager to believe the banks."

The attack - including a demonstration of it being deployed in practice - will be featured BBC Two's Newsnight at 10:30pm on Thursday 11 February 2010.

The Cambridge team's results are also to be presented at the academic conference "IEEE Symposium on Security and Privacy", Oakland, CA, US, in May 2010.

Explore further: Computer-assisted accelerator design

Related Stories

Software defect hits millions of German bank cards

Jan 05, 2010

(AP) -- Millions of German bank cards have been affected by a "millennium bug"-like problem because they contain software that can't process the number 2010, industry groups said Tuesday.

Phishers Use Call Forwarding to Mask Fraud

Apr 28, 2007

A phishing attack uncovered by SecureWorks tries to entice victims into forwarding their telephone calls in order to thwart out-of-band authentication by banks.

Human error puts online banking security at risk

Nov 07, 2007

Using an SMS password as an added security measure for internet banking is no guarantee your money is safe, according to a new Queensland University of Technology study which reveals online customers are not protecting their ...

Feds bolstering online banking security

Oct 19, 2005

Federal banking regulators are ordering financial institutions to bolster their Internet security by the end of next year, hoping to halt identity theft. But experts tell UPI's The Web that the measures still may not be strong ...

Recommended for you

Computer-assisted accelerator design

Apr 22, 2014

Stephen Brooks uses his own custom software tool to fire electron beams into a virtual model of proposed accelerator designs for eRHIC. The goal: Keep the cost down and be sure the beams will circulate in ...

First steps towards "Experimental Literature 2.0"

Apr 21, 2014

As part of a student's thesis, the Laboratory of Digital Humanities at EPFL has developed an application that aims at rearranging literary works by changing their chapter order. "The human simulation" a saga ...

User comments : 0

More news stories

Robot scouts rooms people can't enter

(Phys.org) —Firefighters, police officers and military personnel are often required to enter rooms with little information about what dangers might lie behind the door. A group of engineering students at ...

Finalists named in Bloomberg European city contest

Amsterdam wants to create an online game to get unemployed young people engaged in finding jobs across Europe. Schaerbeek, Belgium, envisions using geothermal mapping to give households personalized rundowns of steps to save ...

Internet TV case: US justices skeptical, concerned

Grappling with fast-changing technology, U.S. Supreme Court justices debated Tuesday whether they can protect the copyrights of TV broadcasters to the shows they send out without strangling innovations in ...

Brazil passes trailblazing Internet privacy law

Brazil's Congress on Tuesday passed comprehensive legislation on Internet privacy in what some have likened to a web-user's bill of rights, after stunning revelations its own president was targeted by US ...

In the 'slime jungle' height matters

(Phys.org) —In communities of microbes, akin to 'slime jungles', cells evolve not just to grow faster than their rivals but also to push themselves to the surface of colonies where they gain the best access ...

New alfalfa variety resists ravenous local pest

(Phys.org) —Cornell plant breeders have released a new alfalfa variety with some resistance against the alfalfa snout beetle, which has ravaged alfalfa fields in nine northern New York counties and across ...