Chip and PIN credit card attack leaves banks on shaky ground according to one analyst, although oddly enough the banks appear to disagree.
Researchers at the University of Cambridge Computer Laboratory have revealed how the Chip and PIN credit card security system is flawed and left vulnerable to fraud. Steven Murdoch, Saar Drimer, Ross Anderson and Mike Bond, the researchers in question, have apparently tested the 'wedge' attack scenario against cards issued by most of the mainstream banks in the UK and found them all to be equally vulnerable.
Dr Drimer told Physorg that "The technical sophistication for carrying out this attack is low, and the compact equipment will not be noticed by shop staff. A single criminal can develop and industrialise a kit to be used by others who do not need to understand how the attack works".
That said, it isn't quite as straightforward as it might at first sound from that description. As I understand it, the wedge attack involves attaching a circuit board with a chip/transmitter (which can be concealed up your sleeve apparently) onto the chip on the credit card which allows the user to key any number into the PIN machine to gain authorisation. The user must also wear a backpack with a computer inside which does the necessary and sends a signal to the terminal, via the attached circuit board, that all is well.
The UK Cards Association, which acts as a trade body for the banks, told the Daily Mail that it did not believe the threat was a serious one, saying "We believe that this complicated method will never present a real threat to our customers cards".
However, Jay Abbott, a director at PricewaterhouseCoopers LLP, is not so sure. "Essentially, what the scientists have come up with is a very effective and simple way of exploiting weaknesses in the system" he explains, adding that he agrees that the fraud does require a very specific scenario to become effective. "A number of electronic components are involved that require concealment, therefore the fraudster must remain in contact with the card at all times. A simple process change by the retailer of asking for the card holder to hand over the card would break the circuit, although this possibility can be eliminated if the card reader is fixed to a point on the other side of the counter" Abbott says.
When it comes to the reaction of the banks, Abbott seems a little surprised, insisting that "At present, the customer is accountable for the fraud as banks argue that pin verified transactions are secure. Given this attack demonstrates a clear method of bypassing the pin system, this assertion by the banks stands on shakier ground".
I'm a hacker turned writer and consultant, specialising in IT security. I've been a freelance word punk for over 20 years and along the way I have seen 23 of my books published, produced and presented programmes for TV and radio, picked up a bunch of awards and continue being a contributing editor with PC Pro - the best selling IT magazine in the UK .
Problem with his statement regarding making the vendor ask for the card to be handed over is as follows:-
Skimming cards in the past has created a sea change whereby the cardholder can keep hold of his card, placing it in the reader, and never hand it to staff (who might skim it).
Net result - the crims are ahead of the game. Always.
About time us humans all get chipped?!?
thanks for post! Credit card holders should be more diligent when it comes to monitoring their accounts so they can track suspicious transactions made using their card. They should not take it for granted and the banks should implement a tighter security so they can protect their customers.