Chip and PIN credit card attack leaves banks on shaky ground according to one analyst, although oddly enough the banks appear to disagree.

Researchers at the University of Cambridge Computer Laboratory have revealed how the Chip and PIN credit card security system is flawed and left vulnerable to fraud. Steven Murdoch, Saar Drimer, Ross Anderson and Mike Bond, the researchers in question, have apparently tested the 'wedge' attack scenario against cards issued by most of the mainstream banks in the UK and found them all to be equally vulnerable.

Of course, this is not the first time that cards have been compromised. It was 18 months ago that I was reporting about chip and PIN protection being cracked like a rotten egg following the bust of a card skimming factory. But that required a foreign loophole to come in to play, and this new attack vector is different, much more direct and seemingly much more dangerous. More dangerous, even, than the Tesco supermarket chip and PIN machine tampering case I wrote about at the end of 2008.

Dr Drimer told Physorg that "The technical sophistication for carrying out this attack is low, and the compact equipment will not be noticed by shop staff. A single criminal can develop and industrialise a kit to be used by others who do not need to understand how the attack works".

That said, it isn't quite as straightforward as it might at first sound from that description. As I understand it, the wedge attack involves attaching a circuit board with a chip/transmitter (which can be concealed up your sleeve apparently) onto the chip on the credit card which allows the user to key any number into the PIN machine to gain authorisation. The user must also wear a backpack with a computer inside which does the necessary and sends a signal to the terminal, via the attached circuit board, that all is well.

The UK Cards Association, which acts as a trade body for the banks, told the Daily Mail that it did not believe the threat was a serious one, saying "We believe that this complicated method will never present a real threat to our customers cards".

However, Jay Abbott, a director at PricewaterhouseCoopers LLP, is not so sure. "Essentially, what the scientists have come up with is a very effective and simple way of exploiting weaknesses in the system" he explains, adding that he agrees that the fraud does require a very specific scenario to become effective. "A number of electronic components are involved that require concealment, therefore the fraudster must remain in contact with the card at all times. A simple process change by the retailer of asking for the card holder to hand over the card would break the circuit, although this possibility can be eliminated if the card reader is fixed to a point on the other side of the counter" Abbott says.

When it comes to the reaction of the banks, Abbott seems a little surprised, insisting that "At present, the customer is accountable for the fraud as banks argue that pin verified transactions are secure. Given this attack demonstrates a clear method of bypassing the pin system, this assertion by the banks stands on shakier ground".

Edited by happygeek: n/a

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

7 Years
Discussion Span
Last Post by MsCamellia2010

Problem with his statement regarding making the vendor ask for the card to be handed over is as follows:-
Skimming cards in the past has created a sea change whereby the cardholder can keep hold of his card, placing it in the reader, and never hand it to staff (who might skim it).
Net result - the crims are ahead of the game. Always.
About time us humans all get chipped?!?

Edited by PedroStephano: n/a


thanks for post! Credit card holders should be more diligent when it comes to monitoring their accounts so they can track suspicious transactions made using their card. They should not take it for granted and the banks should implement a tighter security so they can protect their customers.

Edited by studentcredit: n/a


I have been searching for a website like this in the field I am interested in. I am a big fan. I was thinking about creating my own blog about similar ideas for like-minded people.<snip>

Edited by crunchie: snipped url. keep it on-site

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.