Chip and PIN 'vulnerable to fraud'

Posted by Emma Woollacott

Criminals can successfully use credit and debit cards without knowing the correct PIN.

Researchers at the University of Cambridge Computer Laboratory have found that inserting a 'wedge' between the stolen card and the terminal tricks the terminal into believing that the PIN was correctly verified.

They discovered this in the line of duty, you understand.

In fact, the fraudster can enter any PIN, and the transaction will be accepted. According to Dr Steven Murdoch: "We have tested this attack against cards issued by most major UK banks. All have been found to be vulnerable."

Similar systems are used around the world.

Victims could have a hard time of it getting a refund from their bank. The receipt produced will state "Verified by PIN", and bank records will show that the correct PIN was used. Banks may then argue that the customer must have been negligent and had allowed the criminal to know their PIN.

"The technical sophistication for carrying out this attack is low, and the compact equipment will not be noticed by shop staff," says Dr Saar Drimer. "A single criminal can develop and industrialise a kit to be used by others, who do not need to understand how the attack works."

Professor Ross Anderson says: "The banks often tell customers that their PIN was used, and so it's their fault. Yet we've shown that it's easy to use a card without knowing the PIN - and the receipt will say the transaction was 'verified by PIN' even though it wasn't."