[Infowarrior] - Chip and PIN system is vulnerable to fraud

Richard Forno rforno at infowarrior.org
Fri Feb 12 13:25:55 UTC 2010 

Cambridge researchers show that the Chip and PIN system is vulnerable  
to fraud
Thursday, 11 February 2010

Steven J. Murdoch, Saar Drimer, Ross Anderson and Mike Bond,  
researchers at the Computer Laboratory, University of Cambridge, have  
shown that flaws in the Chip and PIN system allow criminals to use  
stolen credit and debit cards, without knowing the correct PIN.

Fraudsters can easily insert a “wedge” between the stolen card and  
terminal, which tricks the terminal into believing that the PIN was  
correctly verified. In fact, the fraudster can enter any PIN, and the  
transaction will be accepted.

Murdoch says, “We have tested this attack against cards issued by most  
major UK banks. All have been found to be vulnerable.”

Victims of this attack may have a difficult time being refunded by  
their bank. The receipt produced will state “Verified by PIN”, and  
bank records will show that the correct PIN was used. Banks may then  
argue that the customer must have been negligent and had allowed the  
criminal to know their PIN.

Drimer says, “The technical sophistication for carrying out this  
attack is low, and the compact equipment will not be noticed by shop  
staff. A single criminal can develop and industrialize a kit to be  
used by others who do not need to understand how the attack works.”

The Cambridge attacks call into question both the design of the Chip  
and PIN system, and the security of card payments. Victims of fraud  
are commonly told that bank systems can be relied upon. However, this  
attack shows that criminals are able to not only defraud customers,  
but cause bank systems to make the false assertion that the PIN was  
verified correctly.

Anderson said "Over the past five years, thousands of cardholders have  
had stolen chip and pin cards used by criminals. The banks often tell  
customers that their pin was used and so it's their fault. Yet we've  
shown that it's easy to use a card without knowing the pin - and the  
receipt will say the transaction was 'verified by pin' even though it  
wasn't."

Anderson continued "This is not just a failure of bank technology.  
It's a failure of bank regulation. The ombudsman supported the banks  
and the regulators have refused to do anything. They were just too  
eager to believe the banks."

The attack will be featured on Newsnight, including a demonstration of  
it being deployed in practice. Watch BBC Two, 10:30pm, Thursday 11  
February 2010.

The Cambridge team's results are also to be presented at the the  
academic conference “IEEE Symposium on Security and Privacy”, Oakland,  
CA, US, May 2010.

Notes for editors
	• For more information on Chip and PIN wedge attacks, please see our  
webpage on this topic:
http://www.cl.cam.ac.uk/research/security/projects/banking/nopin/
	• The academic paper, accepted for a peer-reviewed conference, can be  
found at:
http://www.cl.cam.ac.uk/research/security/projects/banking/nopin/oakland10chipbroken.pdf
	• The latest version of this press release can be found at:
http://www.cl.cam.ac.uk/research/security/projects/banking/nopin/press-release.html
	• For any further questions, please contact:

Dr Saar Drimer
phone: 01223 763 532
mobile: 07779 606 045
website: http://www.cl.cam.ac.uk/users/sd410/
email: Saar.Drimer at cl.cam.ac.uk

Professor Ross Anderson
phone: 01223 334 733
mobile: 0791 905 8248
website: http://www.cl.cam.ac.uk/users/rja14/
email: Ross.Anderson at cl.cam.ac.uk

Dr Steven J. Murdoch
website: http://www.cl.cam.ac.uk/users/sjm217/
email: Steven.Murdoch at cl.cam.ac.uk

More information about the Infowarrior mailing list