Card payment verification has “major” security loophole


Advertisements

The card payment industry has rejected claims by British researchers that a system used for validating in-person payments has a major security flaw.

Computer scientists at Cambridge University have been investigating the “chip and pin” system. That’s a branding name used in the country for EMV (Europay, Mastercard and Visa), a technology used increasingly around the world which combines a microchip on a debit or credit card with a card reading terminal which requires a four-digit PIN code. The idea is that a card can’t be cloned as the microchip can’t be duplicated.

The researchers say the flaw they’ve discovered is arguably the biggest payment system loophole of the past 25 years. While they’ve obviously not revealed the precise details, it takes advantage of the way that, if a card can’t be read, the user is often allowed to sign for the transaction (as was done before chips were introduced).

To carry out the scam, the crook would put the stolen card into a modified card-reader and carry it in a bag. The card-reader is then hooked up wirelessly to a laptop running the software needed for the scam.

The crook then presents a fake card for payment, typing any four-digit number into the keypad. The software and the card-reader in the bag send out signals which cause the shop’s terminal to believe the genuine has been used and verified with a PIN. However, the stolen card receives a signal which makes it believe the card hasn’t been recognized in the card-reader and the user has instead signed for the transaction.

The BBC show Newsnight demonstrated how the attack would work:

A spokesman for the UK Cards Association says the attack is technically possible but was too complicated to carry out in practice. He also said such attacks would be detected as fraudulent.

The researchers stand by their claims and say the most worrying aspect of the security flaw is that it could mean genuine claims for a refund by victims of card theft could be dismissed on the grounds that their PIN had been used in the fraudulent transaction.





4 Responses to Card payment verification has “major” security loophole

  1. Another great idea from this useless Government seriously Flawed like the UK Govt certified encryption used for protecting those Kingston Pen Drives

    which proved to be seriously Flawed remember?

    Is the same UK Govt certified encryption guarding all the Data Basses which this Government are constantly adding our personal information to?

    Makes you wonder where all the ‘Bank Money’ really went does it not?

  2. Another great idea from this useless Government seriously Flawed like the UK Govt certified encryption used for protecting those Kingston Pen Drives

    which proved to be seriously Flawed remember?

    Is the same UK Govt certified encryption guarding all the Data Basses which this Government are constantly adding our personal information to?

    Makes you wonder where all the 'Bank Money' really went does it not?

  3. This attack relies on the failback to the open-loop verification by signature, which is what’s used universally in the US. So, if it’s “broken” in rare and extreme cases, the system used in the US is broken 100% of the time. Chip & Pin is still a vast improvement over signature verification or mag stripe & PIN.

    It appears that the crucial difference is that in the US, the card carrier has limited liability and the bank is responsible for the rest.

    Not that this has caused the banks to behave in the interest of their account holders. It’s still absurdly easy to spend someone else’s money by knowing just a few simple details about them.

  4. This attack relies on the failback to the open-loop verification by signature, which is what's used universally in the US. So, if it's "broken" in rare and extreme cases, the system used in the US is broken 100% of the time. Chip & Pin is still a vast improvement over signature verification or mag stripe & PIN.

    It appears that the crucial difference is that in the US, the card carrier has limited liability and the bank is responsible for the rest.

    Not that this has caused the banks to behave in the interest of their account holders. It's still absurdly easy to spend someone else's money by knowing just a few simple details about them.