Latest Expert Witness News

Chip and PIN transactions vulnerable for stolen cards

Cambridge University security expert Professor Ross Anderson has blasted the worldwide EMV system used for credit and debit card transactions, the system known in the UK as Chip and PIN. The Professors research team discovered a serious vulnerability, when purchases were made using a card, without knowing the associated personal identification number (PIN), by using a "man-in-the middle" interceptor.

When a purchase is made the cardholder is required to insert their card and enter their secret PIN before a transaction can be authorised. They then communicate with the microchip built in to the card itself, which holds the PIN. If the correct number has been given, this chip returns a standard verification code to the terminal.

To test this the researchers' inserted a genuine card into a second reader, connected to a laptop. The laptop is linked by thin wires to a fake card, which is inserted into the retailer's terminal. The laptop relays the communications between the terminal and the stolen, but genuine card, up until the stage where the PIN is to be checked. At this point it intercepts and responds with the verification code, thus eliminating the need for a correct PIN number.

Various bank cards have been tested all with the same result.

The technical skill required for the attack is minimal, its has been suggested the equipment needed could be kept in a backpack, with the wires to the fake card running down a user's sleeve. The researchers also believe the equipment could be miniaturised to the size of a remote control.

Professor Anderson believes such fraudulent misuse may have already occurred with banks customers adamant that their cards have been used in fraudulent chip and pin transactions.

The research paper has been made available as a working draft, and is due to be published at the IEEE Security and Privacy Symposium in May 2010.

back