You are currently browsing EDRi's old website. Our new website is available at https://edri.org

EDRI-gram

If you wish to help EDRI promote digital rights, please consider making a private donation.


Flattr this

logo

EDRi booklets

Chip and PIN system proven to be flawed

24 February, 2010
» 

This article is also available in:
Deutsch: Chip- und PIN-System bewiesenermaßen fehlerhaft

According to a research performed by a group of experts from the Computer Laboratory, of Cambridge University, the Chip and PIN system is flawed, allowing criminals to use stolen credit and debit cards, without knowing the correct PIN.

The thieves can easily create a device to modify and intercept communications between a card and a point-of-sale terminal, and making the terminal believe the PIN was correctly verified when actually any PIN could be introduced and the transaction would be accepted.

"The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it's doing a chip-and-signature transaction while the terminal thinks it's chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists' cards. The transactions went through fine and the receipts say "Verified by PIN," said Professor Ross Anderson, one of the researchers.

The attacks can be successful for cards used online (a merchant POS contacting the bank) and offline, for any amounts of money and to bank schemes based on EMV (Europay, MasterCard, Visa). They would not work on ATMs and with cards that have already been cancelled by the bank.

The research conclusion is that the attacks are possible due to "a lack of authentication on the PIN verification response, coupled with an ambiguity in the encoding of the result of cardholder verification as included in the TVR (Terminal Verification Results)".

The main problem is that banks refuse to refund victims of this type of attacks because they state that a card cannot be used without the correct PIN which, as the paper shows is not true.

"This is not just a failure of bank technology. It's a failure of bank regulation. The ombudsman supported the banks and the regulators have refused to do anything. They were just too eager to believe the banks," stated Anderson.

Chip and PIN is broken (11.02.2010)
http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/

Chip and PIN is Broken (draft for the 2010 IEEE Symposium on Security and Privacy (draft)
http://www.cl.cam.ac.uk/research/security/banking/nopin/oakland10chipb...

Cambridge researchers show that the Chip and PIN system is vulnerable to fraud (11.02.2010)
http://www.cl.cam.ac.uk/research/security/banking/nopin/press-release....

Chip and pin card readers fundamentally flawed (11.02.2010)
http://www.telegraph.co.uk/science/science-news/7215920/Chip-and-pin-c...

Chip and PIN is broken, say researchers (11.02.2010)
http://news.zdnet.co.uk/security/0,1000000189,40022674,00.htm

‹ French Court says an IP address is not enough for a user's identificationupNew Google's service raises privacy concerns ›
Printer-friendly version
 
Site by Floatleft.

Syndicate:

Syndicate contentCreative Commons License

With financial support from the EU's Fundamental Rights and Citizenship Programme.
eu logo