A research team led by Professor Ross Anderson at Cambridge University have uncovered a serious vulnerability in Chip and Pin Technology also known as EMV (Eurocard, MasterCard and Visa), which is widely used in Europe as a way of authenticating credit and debit card transactions.
The system requires the card holder to enter their secret 4 digit pin number when making purchases; however, using a “man in middle attack”, Professor Anderson and his team were able to validate a transaction without knowing the pin number.
Using a card reader, an Asus EEE PC 701 netbook, and a chip and pin device, they put a genuine card into a second reader which was connected to the netbook and the netbook was then connected by very thin wires to a fake card which was then inserted into the chip and pin terminal.
In normal circumstances, if the pin number is correct, the chip and pin terminal returns a standard verification code. What the researchers managed to do was get the netbook to return the correct verification code to the terminal regardless of what pin number was entered.
It might sound complex but according to the researchers it isn’t and you don’t even need to be a highly skilled technical person to do it. They also claim that the system could be modified to operate wirelessly and that it might even be in use as we speak.
One of the main problems with chip and pin technology and which has been highlighted by this research is that the banks are so sure the technology is secure they often refuse to refund any losses if purchases were made using the secret pin number as this is supposed to be known only to the card holder.
However, as professor Anderson has shown, this may not be the case as they have proved that it is possible to use a card without any knowledge of the pin and demonstrated it on BBC Newsnight.
The banks were informed by the researchers about this vulnerability in December. However they are still claiming that chip and pin is secure. Dr Anderson doesn’t think so.
“The banks are wrong. All the banks are lying” he said.
“They are maliciously and wilfully deceiving the customer. If there was any justice then the police would be looking into this. The system is not fit for purpose” he added.
So be warned!