RSS Alerts

Share

More services

Related Links

Related Stories

  • Chip & PIN invades Australia
    The Chip & PIN system pioneered by French banks in the 1980s - and rolled out across the UK and Europe in recent years - is to be extended to payment cards in Australia, Visa's operation there has announced.
  • Eight million chip and PIN users at risk of ID fraud
    Research carried out by LV (formerly Liverpool & Victoria) Home Insurance claims that, over the last 12 months, eight million adults in the UK have given their cards - plus their PIN details - to someone else to make a purchase on their behalf or get cash from an ATM leaving the vulnerable to ID fraud.
  • Row breaks out over alleged Chip and PIN security flaw censorship
    A row that has been brewing between the payment card 'establishment' and researchers with Cambridge University, who have previously claimed that the Chip & PIN security system seen in UK bank payment cards is flawed, has spilled out into the open.
  • Comment: Is the US Next to Implement Chip and PIN?
    Jose Diaz of Thales e-Security discusses the potential migration to Chip and PIN in the US. Diaz explains how this transition could improve security of our payments infrastructure.
  • Judge rules in favour of bank in first UK phantom ATM withdrawal case
    A judge has ruled in favour a UK bank after a customer took the bank to court regarding eight ATM withdrawals that he claimed he did not make.

Top 5 Stories

News

Chip and PIN systems `broken' claim university researchers

12 February 2010

Ross Anderson and his team at Cambridge University have been reporting on security and operational flaws on the UK's Chip and PIN card authentication system for some time, but now they have published their full report on the technology.

And, the Cambridge researchers claim, after testing their theories in a live retail environment, they have concluded that the system is crackable and therefore "broken" in the several places.

At the heart of Chip & PIN's alleged multiple flaws lies the fact that the PIN – in a heavily encrypted format – is held on the card itself, rather than on the bank computer network, as was originally planned in the earliest days of PIN-based card authentication systems in the 1970s.

Because of this, Anderson and Steven Murdoch and his colleagues have developed a methodology by which a card can be inserted into a retail terminal and, when a PIN is input into the terminal and the terminal 'pings' the card's chipset to verify the encrypted on-card PIN, the data stream can be intercepted.

In a series of demonstrations, Murdoch and his team were able to input a PIN of four zeroes into the card terminal in a university shop, intercepting the data stream in such a way that the terminal returned a positive affirmation that the PIN was correct.

In a BBC TV Newsnight demonstration last evening, the researchers 'cracked' the PINs of two credit and two debit cards in the wallets of a BBC camera crew person, using a PIN of 0000 in all cases.

The actual PINs used by the card owners were different, but by intercepting the card interrogation data stream, the research team was able to fool the terminal – and the bank card network – into thinking a PIN verification had taken place, and the transactions were then authorised.

Murdoch said: "We have tested this attack against cards issued by most major UK banks. All have been found to be vulnerable."

The discovery places some severe question marks over the existing Chip and PIN design and its security methodology, Infosecurity notes.

Cambridge's Anderson said: "Over the past five years, thousands of cardholders have had stolen Chip and PIN cards used by criminals. The banks often tell customers that their pin was used and so it's their fault."

"Yet we've shown that it's easy to use a card without knowing the pin – and the receipt will say the transaction was `verified by PIN' even though it wasn't."

According to Anderson, this is not just a failure of bank technology. It's a failure of bank regulation.

"The ombudsman supported the banks and the regulators have refused to do anything. They were just too eager to believe the banks."

Stephen Howes, CEO of Gridsure, the developers of a pictorial alternative to the numeric PIN system, and a long-standing critic of Chip and PIN, believes that the Cambridge research has shown that Chip and PIN cards can no longer be considered as a two-factor authentication method.

"This latest revelation about Chip and PIN cards has yet again called into question the confidence we can have in our banks and their attitude to our security", he said.

"As we've seen in recent comments, banks are all trying to hide behind each other by claiming it's an 'industry issue', so the question to be asked is: Who is actually going to take responsibility for this?"

According to Howes: "as we know, the banking industry is self regulated, so it cannot just bury its head in the sand, especially when its responsible for policing its own fraud."

"Consumers are being forced to use a system that has been shown to be broken, and ultimately it will be consumers who suffer", he explained.

"These Cambridge scientists have unearthed a fundamental flaw in the system and I think most people will be gobsmacked", he said.

"Effectively they've discovered that Chip and PIN can no longer be considered a two-factor solution and banks must consider making a wholesale change to their approach to fraud, which certainly wont just take five minutes", he added.

This article is featured in:
Compliance and Policy  • Data Loss  • Encryption

 

Comments

Steve Brunswick says:

18 February 2010
Despite Cambridge University computer scientists’ discovery, consumers should not lose faith in credit card security. Chip and PIN is by far and away the most secure way of protecting payment transactions currently available.

No security system can claim to be completely bulletproof - there is always a three-way trade off between cost, ease of use and security and the industry is constantly looking for improvements. Consequently, the aim of security systems is not to make security unbreakable but to make it unprofitable for criminals to attempt to break it. The benefits of Chip and PIN are proven. Once the UK adopted Chip and PIN in 2003, losses on UK high street transactions reduced by 55 per cent by 2008. However, not all countries have followed suit and the US, for example, still use magnetic stripe cards with signature verification. Verification by signature remains an option even for EMV cards, and it is the availability of this weaker security that has been exploited by the attack highlighted by Cambridge University.

These recent findings should be discussed. However, the bigger problem lies not with Chip and PIN technology itself, but rather with the differing levels of adoption of advanced security technologies and procedures across the industry. The Cambridge scientists’ research provides interesting insight and could be an important input to future revisions of card security technologies.

Steve Brunswick, Strategy Manager, Thales Information Systems Security

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012