Chip and Pin credit and debit card readers can be tricked into accepting transactions without a valid personal identification number, researchers have found.
Experts at Cambridge University have found a fundamental flaw in the system that could open the door to fraud on a massive scale. They have come up with a way to trick the system into thinking the correct pin number has been entered by exploiting the way the remote reader talks to the main shop terminal
This effectively would allow fraudsters to use stolen credit cards despite not knowing the pin number. “Chip and PIN is fundamentally broken,” Professor Ross Anderson of Cambridge University said.
“We think this is one of the biggest flaws that we’ve uncovered – that has ever been uncovered – against payment systems, and I’ve been in this business for 25 years.” The researchers conducted an attack that succeeded in tricking a card reader into authenticating a transaction, even though no valid PIN was entered. While they did not want to give away the exact way it works, they have called it “man in the middle” and it involves having a separate card reader in a back pack.
The fraudster puts the stolen credit or debit card into the shop’s reader but then the second reader in his back pack sends a pin okay signal to the shop terminal. The shop terminal then sends back a transaction go-ahead signal to the terminal with the stolen card and money is taken off it. “Essentially what it does is to exploit a flaw in the chip and pin system,” Saar Drimer, one of the Cambridge team, said. “It makes the terminal think the correct pin has been entered, and the card think the transaction was authorised with a signature,” Saar Drimer, one of the Cambridge team, explained.
“At the end the receipt says ‘verified by pin’ so the bank is going to think the pin is entered directly, but the criminal actually did not know the pin.” The researchers, who have contacted banks about the loophole, said the engineering and programming skills necessary to make a man-in-the-middle device to conduct the attack are relatively simple.
“The attack doesn’t require too much technical skill [to emulate],” said Steven Murdoch, who also took part in the Cambridge University research. Over the past few years, the Cambridge team has uncovered a series of weaknesses in the system, which has been running since 2004. Two years ago they showed that criminals could tap into the communications between a pin terminal and a customers’ card, and read off sufficient information to create a cloned card. “The first thing that banks should do is fix this vulnerability,” said Mr Murdoch. There are ways they could upgrade the chip and pin system that would prevent this attack working for most transactions in the UK, he said.