Share this content

"Fundamental" flaw found in chip-and-pin systems

12th Feb 2010
Share this content

Experts at Cambridge University have discovered a fundamental design flaw in chip-and-pin card readers, sparking fears that the defect could be exploited to perpetrate fraud on a massive scale.

More than 90% of point-of-sale card transactions in the UK are now conducted using chip-and-pin systems, according to the UK Payments Administration, which represents the interests of payment card companies. In 2008, plastic cards were used to make 7.4 billion purchases, worth a total of £380 billion.

But Cambridge academics have now found a way to trick the system into thinking that the correct pin number has been entered by exploiting the way that remote readers communicate with the main shop terminal.

Flaws in the Europay, Mastercard and Visa (EMV) protocol, which enables chip-and-pin transactions to be validated, means that third party devices can be introduced between the readers and terminals to intercept communications.

Such breaches are known as "man-in-the-middle" attacks and would allow fraudsters to use stolen credit or debit cards by simply entering four zeros. The cards tested were issued by Barclaycard, the Co-op Bank, the Halifax, Bank of Scotland, HSBC and John Lewis.

Ross Anderson, professor of security engineering at Cambridge University told the BBC’s Newsnight programme: "Chip-and-pin is fundamentally broken. We think this is one of the biggest flaws that we’ve uncovered – that has ever been uncovered – against payment systems, and I’ve been in this business for 25 years."

The researchers, who have already contacted the banks about the problem, said that the programming skills required to build a ‘man-in-the-middle’ device were relatively simple.

But the UK Payments Administration rejected the conclusions found in their paper entitled 'Chip and PIN is Broken'. It said that there was no evidence that such attacks were not happening in UK stores today, although the research would help it to evaluate the direction in which criminals may move.


Related content

Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.