Chip and Pin Secure? Think again!

[ Go back to normal view ]

BW2 :: the bitwise supplement :: http://www.bitwisemag.com/2

Chip and Pin Secure? Think again!
Time to go back to cash maybe?
11 February 2010
by Huw Collingbourne

I have to say I’ve never been enthused by ’chip and pin’ credit card verification. Maybe this has something to do with the fact that, shortly after my bank introduced this technology a few years ago, several thousand pounds mysteriously vanished from my bank account.

That money went via a telephone booking for a hotel in America (I was in Britain at the time) to a name not associated with my card and with no address being on record! So much for chip and pin. It simply doesn’t work over the phone.

But if you make a purchase ’face to face’, as it were, chip and pin must be secure, mustn’t it? The chip in your card is unique and your ’pin’ verification number is known only to you so what could go wrong?

Quite a lot, it seems. Researchers at my old University have come up with a simple machine that fools chip and pin readers into accepting any verification number you care to dream up. But maybe the devices needed to fool the cards are super difficult to make and require teams of propeller-headed boffins and huge stacks of money? Nope - alas not. According to Dr Steven Murdoch, one of the Cambridge team, "Even small scale criminal systems have better equipment than what we have. The amount of technical sophistication needed to carry out this attack is really quite low."

For more information, see the BBC web site.