A report by security researchers at Cambridge University have demonstrated a flaw in Chip and PIN technology,
It said that the flaw would allow a fraudster to use a genuine card to make a payment without knowing the card's PIN, and to remain undetected even when the merchant has an online connection to the banking network.
The fraudster would be able to perform a man-in-the-middle attack to trick the terminal into believing that the PIN verified correctly, while telling the issuing bank that no PIN was entered at all. This would not work at a cashpoint or ATM, but would allow for large purchases.
With the use of a man-in-the-middle device, which can intercept and modify the communications between card and terminal, a fraudster can trick the terminal into believing that PIN verification succeeded by responding with 0x9000 to Verify, without actually sending the PIN to the card.
The authors, Steven J. Murdoch, Saar Drimer, Ross Anderson and Mike Bond, concluded that the protocol is broken. Their report read: “This attack can be used to make fraudulent purchases on a stolen card. We have demonstrated that the live banking network is vulnerable by successfully placing a transaction using the wrong PIN. The records indeed falsely show that the PIN was verified successfully, and the money was actually withdrawn from an account.
“Attacks such as this could help explain the many cases in which a card has supposedly been used with the PIN, despite the customer being adamant that they have not divulged it. So far, banks have refused to refund such victims, because they assert that a card cannot be used without the correct PIN; this paper shows that their claim is false.”
The first issue of the security of Chip and PIN was raised by Actimize VP and head of Europe Bruno Piers De Raveschoot, who commented that the technology had caused a decline in fraud but because of the volume of roll-out, it was still high.
He said: “It is not currently being used in the US but is being trialled in Canada, the consensus from us is that in the US that it will increase fraud. The use of the card will be higher and people will feel more secure so they will use it more. People will also disclose PIN via phishing technique, a recent campaign saw 4,000 people respond to every phishing attack.”
Commenting on the report findings, Steve Brunswick, strategy manager at Thales information systems security, commented that consumers should not lose faith in credit card security.
He said: “No security system can claim to be completely bulletproof - there is always a three-way trade off between cost, ease of use and security and the industry is constantly looking for improvements. Consequently, the aim of security systems is not to make security unbreakable but to make it unprofitable for criminals to attempt to break it.
“These recent findings should be discussed. However, the bigger problem lies not with Chip and PIN technology itself, but rather with the differing levels of adoption of advanced security technologies and procedures across the industry. The Cambridge scientists' research provides interesting insight and could be an important input to future revisions of card security technologies.”
Stephen Howes, CEO of GrIDsure, believed that the research showed that Chip and PIN cards can no longer be considered as a two factor authentication method.
He said: “This latest revelation about Chip and PIN cards has yet again called into question the confidence we can have in our banks and their attitude to our security. As we have seen in recent comments, banks are all trying to hide behind each other by claiming it's an ‘industry issue', so the question to be asked is: who is actually going to take responsibility for this?
“As we know, the banking industry is self regulated, so it can't just bury its head in the sand especially when it's responsible for policing its own fraud. Consumers are being forced to use a system that has been shown to be broken, and ultimately it will be consumers who suffer.
“These Cambridge scientists have unearthed a fundamental flaw in the system and I think most people will be gobsmacked. Effectively they've discovered that Chip and PIN can no longer be considered a two factor solution and banks must consider making a wholesale change to their approach to fraud, which certainly won't just take five minutes.”