Chip and PIN system proven to be flawed
This article is also available in:
Deutsch: Chip- und PIN-System bewiesenermaßen fehlerhaft
According to a research performed by a group of experts from the Computer Laboratory, of Cambridge University, the Chip and PIN system is flawed, allowing criminals to use stolen credit and debit cards, without knowing the correct PIN.
The thieves can easily create a device to modify and intercept communications between a card and a point-of-sale terminal, and making the terminal believe the PIN was correctly verified when actually any PIN could be introduced and the transaction would be accepted.
"The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it's doing a chip-and-signature transaction while the terminal thinks it's chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists' cards. The transactions went through fine and the receipts say "Verified by PIN," said Professor Ross Anderson, one of the researchers.
The attacks can be successful for cards used online (a merchant POS contacting the bank) and offline, for any amounts of money and to bank schemes based on EMV (Europay, MasterCard, Visa). They would not work on ATMs and with cards that have already been cancelled by the bank.
The research conclusion is that the attacks are possible due to "a lack of authentication on the PIN verification response, coupled with an ambiguity in the encoding of the result of cardholder verification as included in the TVR (Terminal Verification Results)".
The main problem is that banks refuse to refund victims of this type of attacks because they state that a card cannot be used without the correct PIN which, as the paper shows is not true.
"This is not just a failure of bank technology. It's a failure of bank regulation. The ombudsman supported the banks and the regulators have refused to do anything. They were just too eager to believe the banks," stated Anderson.
Chip and PIN is broken (11.02.2010)
Chip and PIN is Broken (draft for the 2010 IEEE Symposium on Security and
Cambridge researchers show that the Chip and PIN system is vulnerable to
Chip and pin card readers fundamentally flawed (11.02.2010)
Chip and PIN is broken, say researchers (11.02.2010)