Chip And PIN Is ‘Broken’, Researchers Claim

Researchers at Cambridge University have uncovered a flaw in the Chip and PIN payment system that allows fraudsters to use stolen credit and debit cards without knowing the PIN number.

The flaw can be exploited by a man-in-the-middle attack, in which the signal sent out by a shop’s card reader during a transaction is intercepted by a separate card reader in the fraudster’s bag. The second reader sends a PIN verification signal back to the shop terminal, authenticating the transaction even though no code has been entered.

“The technical sophistication for carrying out this attack is low, and the compact equipment will not be noticed by shop staff,” warned Saar Drimer, one of the Cambridge researchers. “A single criminal can develop and industrialise a kit to be used by others who do not need to understand how the attack works.”

The discovery is likely to undermine people’s confidence in the security of the Chip and PIN system, which was introduced in 2004 to reduce card fraud when written signatures were deemed too easy to forge. The flaw could potentially lead to an increase in the number of cases of credit card fraud in the UK, researchers warn.

“We have tested this attack against cards issued by most major UK banks. All have been found to be vulnerable,” said Steven Murdoch, one of the authors of the paper (PDF).

Cambridge researcher Ross Anderson also warned that banks often turn down claims from victims of fraud in cases when the PIN number has been used. “Over the past five years, thousands of cardholders have had stolen Chip and PIN cards used by criminals. The banks often tell customers that their PIN was used and so it’s their fault,” he said.

The researchers are playing up the importance of this discovery, claiming that “Chip and PIN is fundamentally broken,” and describing it as “One of the biggest flaws that we’ve uncovered – that has ever been uncovered – against payment systems.”

However, the UK Cards Association has dismissed the claim, saying that the scam would be very difficult to pull off in reality. “It requires possession of a customer’s card and unfortunately there are much simpler ways to commit fraud under these circumstances at much less risk to the criminal. This fraud is also detectable by the industry’s systems,” a spokeswoman told the Press Association.

Last year a hole was found in the secure sockets layer (SSL) protocol, enabling man-in-the-middle attackers to hack into encrypted applications. According to security researcher Chris Paget, hackers could exploit this flaw by breaking into shared hosting environments, mail servers and databases, and inserting text into encrypted traffic as it passed between two end users.

“An attacker who has the ability to inject a single arbitrary-length request into a stream of SQL [structured query language] queries and responses would be devastating,” said Paget in a blog post. “Your implementation of SSL can be completely compliant with the protocol, completely immune to code-level vulnerabilities, completely fine at managing its keys, and using ciphers that are completely unbroken, and you are still vulnerable.”

The Internet Engineering Task Force (IETF) finally fixed the vulnerability in January.