Card payment verification has “major” security loophole

The card payment industry has rejected claims by British researchers that a system used for validating in-person payments has a major security flaw.

Computer scientists at Cambridge University have been investigating the “chip and pin” system. That’s a branding name used in the country for EMV (Europay, Mastercard and Visa), a technology used increasingly around the world which combines a microchip on a debit or credit card with a card reading terminal which requires a four-digit PIN code. The idea is that a card can’t be cloned as the microchip can’t be duplicated.

The researchers say the flaw they’ve discovered is arguably the biggest payment system loophole of the past 25 years. While they’ve obviously not revealed the precise details, it takes advantage of the way that, if a card can’t be read, the user is often allowed to sign for the transaction (as was done before chips were introduced).

To carry out the scam, the crook would put the stolen card into a modified card-reader and carry it in a bag. The card-reader is then hooked up wirelessly to a laptop running the software needed for the scam.

The crook then presents a fake card for payment, typing any four-digit number into the keypad. The software and the card-reader in the bag send out signals which cause the shop’s terminal to believe the genuine has been used and verified with a PIN. However, the stolen card receives a signal which makes it believe the card hasn’t been recognized in the card-reader and the user has instead signed for the transaction.

The BBC show Newsnight demonstrated how the attack would work:

A spokesman for the UK Cards Association says the attack is technically possible but was too complicated to carry out in practice. He also said such attacks would be detected as fraudulent.

The researchers stand by their claims and say the most worrying aspect of the security flaw is that it could mean genuine claims for a refund by victims of card theft could be dismissed on the grounds that their PIN had been used in the fraudulent transaction.