Cambridge researchers show Chip and PIN system vulnerable to fraud
15 Feb 2010
Researchers at the University of Cambridge Computer Laboratory have uncovered flaws in the Chip and PIN system that allow criminals to use stolen credit and debit cards without knowing the correct PIN.
Fraudsters can easily insert a "wedge" between the stolen card and terminal, which tricks the terminal into believing that the PIN was correctly verified. In fact, the fraudster can enter any PIN, and the transaction will be accepted, Steven Murdoch, Saar Drimer, Ross Anderson and Mike Bond have found.
According to Dr Murdoch, "We have tested this attack against cards issued by most major UK banks. All have been found to be vulnerable."
Victims of this attack may have a difficult time being refunded by their bank. The receipt produced will state "Verified by PIN", and bank records will show that the correct PIN was used. Banks may then argue that the customer must have been negligent and had allowed the criminal to know their PIN.
Dr Drimer says: "The technical sophistication for carrying out this attack is low, and the compact equipment will not be noticed by shop staff. A single criminal can develop and industrialise a kit to be used by others who do not need to understand how the attack works."
The Cambridge attacks - being broadcast on BBC Two's Newsnight - call into question both the design of the Chip and PIN system, and the security of card payments. Victims of fraud are commonly told that bank systems can be relied upon. However, this attack shows that criminals are able to not only defraud customers, but cause bank systems to make the false assertion that the PIN was verified correctly.