New flaws in chip and pin system revealed
In order to see this content you need to have both Javascript enabled and Flash installed. Visit µþµþ°äÌý°Â±ð²ú·É¾±²õ±ð for full instructions. If you're reading via RSS, you'll need to visit the blog to access this content.
Most of us do not think twice about paying for something in a high street shop by keying in our pin. It is easy, fast and in most cases it works.
But scratch a little under the surface and there are persistent reports of people who say they have been the subject of fraud of one kind or another on their credit or debit card.
Now a team of computer scientists at Cambridge University has found a flaw in chip and pin so serious they think it shows that the whole system needs a re-write.
Over the past few years, the Cambridge team has uncovered a series of weaknesses in the system, which has been running since 2004.
Shockingly simple
Two years ago, we featured one on Newsnight showing that criminals could tap into the communications between a pin terminal and a customer's card, and read off sufficient information .
Now, the same team has found a way round the chip and pin system that is so simple it has shocked even them:
"We think this is one of the biggest flaws that we've uncovered - that has ever been uncovered - against payment systems, and I've been in this business for 25 years," Professor Ross Anderson from the Cambridge University Computer Laboratory said.
"This is a flaw in a system that's used by hundreds of millions of people, by tens of thousands of banks by millions of merchants," he added.
In essence the Cambridge researchers have discovered a way to carry out transactions without needing to know a card's pin.
Small kit
So how does the attack work?
We obviously do not want to give out too much detail, but in simple terms, a stolen card sits in an off-the-shelf card reader, inside a backpack.
This allows it to communicate with a chip, running software written by the team and controlled from a laptop.
All of this is hooked up to a fake card, which slots into the actual shop terminal.
The kit would not have to be big - the Cambridge team is already working on miniaturising it all into a unit the size of a remote control.
It is called a "man in the middle" attack because the software is tricking the terminal into thinking the pin has been verified.
"Essentially what it does is to exploit a flaw in the chip and pin system. It makes the terminal think the correct pin has been entered, and the card think the transaction was authorised with a signature," Dr Saar Drimer, one of the Cambridge team, explained.
"At the end the receipt says 'verified by pin' so the bank is going to think the pin is entered directly, but the criminal actually did not know the pin."
Credit and debit cards attacked
We got permission from Cambridge University to try out the attack in one of their cafeterias.
The team tried out four common cards - two credit cards, issued by HSBC and John Lewis, and two debit cards, issued by Barclays and the Co-operative Bank.
There was no particular reason for choosing these cards, they just happened to be the ones in the Newsnight team's wallets.
Using the cards, Dr Drimer keyed in 0000 as the pin. Since there is no need for the criminal to know the actual pin associated with the card, any combination should work.
It did work, and the printout stated that the purchase had been "verified by pin".
Following the attack we approached the Co-Operative Bank, Barclays and HSBC - which also administers the John Lewis card - for comment.
All three stressed that this was an industry-wide issue, not specific to any particular to any provider, that their cards were no different to those offered by any other provider or bank, and each referred us to the banking trade association for further comment.
Low sophistication
The Cambridge researchers have a standard approach when they uncover this kind of flaw. They tell the authorities straight away, suggest fixes, and then publish.
In the last few weeks, they have told the relevant official bodies.
In reality, though, how easy would it be for someone without a PhD in computer science to carry out this attack?
"Even small scale criminal systems have better equipment than what we have. The amount of technical sophistication needed to carry out this attack is really quite low," Dr Steven Murdoch, one of the team, told Newsnight.
"In practice how this attack would work is that one reasonably technically skilled person would build a device that carries out the attack and then sell this equipment on the internet just like criminals already do," he added.
So is this kind of attack already happening in the real world?
According to Phil Jones of the Consumers Association, chip and pin has helped to bring down instances of card crime, but many cases remain unexplained.
"It's very difficult to quantify exactly how big this problem is," he said. "What we do know from our investigations is that say around 14% of consumers on a representative basis have said they have suffered some kind of financial loss which they believe is through fraud.
"The percentage of that which is actually from this type of potential problem with chip and pin is something that is a lot less clear. What we do know is that we do have cases that are brought forward from individuals which seem quite persuasive."
Onus on banks
So whose job is it to sort this out?
In November last year the law changed, placing the onus firmly on the banks to prove that a customer has been negligent in any dispute.
In the UK, it is the Financial Services Authority (FSA), which has responsibility for overseeing how that new law works into practice, though they say it is up to the industry itself to decide how best to comply.
Newsnight understands that behind the scenes some of the banks are already working on fixing this flaw.
But they obviously have not all fixed it yet, because the banks did not alert any of us to the purchases we made using the Cambridge attack, our cards and a PIN of 0000.
Data trail
Every time you use a card, data on the transaction is generated along the way.
The Cambridge team thinks that customers would be better protected if banks were forced to produce this entire audit trail in disputed transactions.
However, in practice, banks often ask customers to destroy their card, and therefore its chip, as soon as they report a problem.
Stephen Mason, a lawyer who has represented consumers in cases involving banks and disputed card transactions, told Newsnight that digital evidence is increasingly important:
"Just because 'verified by pin' is printed on a piece of paper that comes out of a machine, it proves nothing.
It's for the bank to prove that it was verified by pin - and that statement is actually totally irrelevant."
The chip and pin system has a 700-odd page manual, but the Cambridge team says it has so many holes in it, the whole thing should be re-written.
"The first thing that banks should do is fix this vulnerability. There are ways they could upgrade the chip and pin system that would prevent this attack working for most of all the transactions that happen in the UK, not all but most," Dr Murdoch said.
They should also look back at previous transactions where the customer said their pin had not been used and the bank record showed it has, and consider refunding these customers because it could be they are victim of this type of fraud," he added.
Watch Susan Watts' full report on Newsnight on Thursday at 10.30pm on 91Èȱ¬ Two, then afterwards on the 91Èȱ¬ iPlayer and Newsnight website.
Comment number 1.
At 11th Feb 2010, barriesingleton wrote:THE REAL MEANING OF 'FOOL PROOF'
Chinooks that hit islands, fly by wire planes that go down instead of up.
The problem is not really imperfection itself, it is fools and knaves who declare THEIR system IS perfect, after it goes wrong. A claim of perfection should be no defence - even an OFFENCE in itself.
Complain about this comment (Comment number 1)
Comment number 2.
At 11th Feb 2010, Norman wrote:We were told by politicians and the banks that chip and pin was watertight. A huge expensive advertising campaign was used to promote this misleading message. How many people know that a transaction can be completed at the terminal, with the chip and pin card in the slot, without entering the pin? I had a retailer override my incorrect PIN entry to complete the transaction. If the card had been used fraudulently I probaly would have had my money returned. However, that would happen only after a lot of serious hassle and the involvement of Police. When I complained to the bank about the lack of security they couldn't be bothered. I accept that the system may never be perfect but with sloppy attitudes from retailers and banks the dishonest will always have the upper hand.
Complain about this comment (Comment number 2)
Comment number 3.
At 11th Feb 2010, Ben wrote:Yes, it is concerning that there is a security hole in the chip and PIN operation - especially one that is such a straight forwards workaround, however the system is still far more secure than signatures given that most cashier operators do not check properly, a practice condoned by their employers in their failure to crack down on it.
However, given that this relies on the authorised by signature loop hole - why not just put an end to signature checking altogether. People will complain 'they can't always remember their PIN code', well if they had no choice they would be forced to remember 4 digits in order.
If that is still unacceptable, give those of us who can remember our PIN codes the option to disable to the approved by signature (or preferably, those who want to be able to use their signature have to apply for a card that allows it)
Regardless of all this, as long as there are criminals there will never be a perfectly safe system. What we have is more secure than what went before, the technology to beat it has just moved forwards too.
Complain about this comment (Comment number 3)
Comment number 4.
At 11th Feb 2010, saturnine42 wrote:I had some fraudulent activity on a card through one of the online betting companies. When I queried it, I was told that I must have been there because it was pin verified. When I questioned how I could be present for an online purchase, the money was credited to my card. This was a couple of years ago suggesting that this scam may have been round for a while.
Complain about this comment (Comment number 4)
Comment number 5.
At 11th Feb 2010, jaction wrote:But surely this means the crook will still have to steal your card first before he can steal your money, right?
Complain about this comment (Comment number 5)
Comment number 6.
At 11th Feb 2010, Paul Cunningham wrote:Security among the banks that run credit and debit cards is a disgrace. I recently had my account emptied by a travel agency in Barcelona. When I contacted them they told me that some travel agencies don't even have to confirm the pin number or expiry date to take money. I was left unable to buy petrol to get to work until Barclays refunded the money. And the bank made it clear that they didn't see this as a problem.
We are powerless to do anything as we really don't have any alternative. All I can do is check my balance a lot more regularly than I did before.
Complain about this comment (Comment number 6)
Comment number 7.
At 11th Feb 2010, jamie Warner wrote:And what evidence is there this has not been happening already?
Complain about this comment (Comment number 7)
Comment number 8.
At 11th Feb 2010, Matt wrote:This comment was removed because the moderators found it broke the house rules. Explain.
Complain about this comment (Comment number 8)
Comment number 9.
At 11th Feb 2010, Sutara wrote:Why is anyone surprised?
Did you really think that any bank would invest lots of money in testing its systems adequately to find the flaw?
They will do put such money into something when the problem stops becoming an irritation to customers and becomes a threat to shareholder dividends or CEO's bonus payments.
Complain about this comment (Comment number 9)
Comment number 10.
At 11th Feb 2010, Jona wrote:So the fake card has to be connecteced with wires to the stolen card in the backpack.
Hmmmm
1)you have to physically steal my card
2)I have to not realise it is missing and have it cancelled
3)The guy in the shop has to not notice that there are wires attached to my card
All this is possible but come on it's a number game here. Would we rather banks spent tiem and money fixing this relatively low probability situation or trying to solve the massive problem of card not present fraud? I know where I'd ask them to concentrate.
Complain about this comment (Comment number 10)
Comment number 11.
At 11th Feb 2010, Graphis wrote:I have heard rumours of a so-called "magic card", that simply extracts money from a random account, whether during a purchase or from a cashpoint. Obviously, it doesn't always work, as the criminal can never know if there are sufficient funds in the account the card has selected, but if unsuccessful, he simply goes to another store/cashpoint and tries again.
I think the lesson is though, that the people who insist any system is foolproof are the fools. If there's money around, someone will try and steal it. They always have, and they always will.
Complain about this comment (Comment number 11)
Comment number 12.
At 11th Feb 2010, The Kaptain wrote:You must remember that the banks etc. used the cheapest chip and pin system when they decided to instil it on us
Complain about this comment (Comment number 12)
Comment number 13.
At 11th Feb 2010, Madeleine_Durham wrote:. . . So don't PIN your hopes on this system! ;-)
Complain about this comment (Comment number 13)
Comment number 14.
At 11th Feb 2010, Tim Howell wrote:This comment was removed because the moderators found it broke the house rules. Explain.
Complain about this comment (Comment number 14)
Comment number 15.
At 11th Feb 2010, mark_2002 wrote:So this is an almost exact implementation of the cash machine scene from Terminator 2 when the annoying kid slides a cash card in to an ATM and a box of tricks provides the PIN.
Except now we just provide the ACK for a PIN....
Complain about this comment (Comment number 15)
Comment number 16.
At 11th Feb 2010, barriesingleton wrote:EVEN ON THE NEWSNIGHT BLOG? (#8)
Some joker posted this in your name Matt. To stoop so low!
"There is no such thing as a "PIN Number", it's a PIN, not a Personal Identification Number Number!"
Complain about this comment (Comment number 16)
Comment number 17.
At 11th Feb 2010, ibrahim wrote:Not really a major flaw if it only works with a laptop & wires and requires the the card reader to be a bottom insert not top.
Why not just ask shop assistants to be a bit more cautious when approached by customers carrying backpacks with card in hand. Should be a simple temp solution while they work on recoding.
Complain about this comment (Comment number 17)
Comment number 18.
At 11th Feb 2010, Jason Prichard wrote:Funnily enough, I was wondering if the system was a bit dodgy a few weeks ago.....
Ever noticed how the machine KNOWS at once if your PIN is ok or not? It just waits for the verification code.... If the whole 4 digit PIN is just stored on the card.... we are all in trouble!!!!
Complain about this comment (Comment number 18)
Comment number 19.
At 11th Feb 2010, Tracy wrote:In Spain when you purchase items with your card you must also produce your ID, (Passport or National ID Card). Surely this is more secure than chip and pin or just a signature. It would be interesting to see whether their level of card fraud is less than the UK.
Complain about this comment (Comment number 19)
Comment number 20.
At 11th Feb 2010, twistywillow wrote:Right, well done Cambridge, but, this fraud will only work on card reader you insert into the base off, and if the person loosing the card hasn't reported it missing yet. That leaves thieves with very small options really, find shops with the right sort of card readers, selling the right sort of things to buy, in the same town as the card looser and bearing that in mind, unless its a gold/black/platinum AmEx any purchase is likely to have a spend limit on it. If it was my card, a standard debit card, the bank authorizes amounts and if I only have £50 then thats all I get to spend (or a crook gets to pinch!)
I suggest that all cards debit and credit should have a daily limit on them unless by prior arrangement with the bank/lender, that should minimize the risk.
Having said all that, I lost my card before Christmas, I didn't report it until after wards because I was certain which shop I left it in, when I went back, it wasn't there.I had it stopped immediately. I have learnt since then not to assume I know where anything is in future, and make sure I actually know.
I wonder now though, having seen that, how long it will be before they can do it remotely without a wire attached? Personally now its time to see all readers top loaders and within a height that leaves a clear gap between all people present.
Complain about this comment (Comment number 20)
Comment number 21.
At 11th Feb 2010, busby2 wrote:Doesn't everyone find it extraordinary that the banks want to get rid of the cheque so that we all have to use their insecure chip and pin system? Time, I think, to get the banks to think again and to retain the cheque for the forseeable future so that we all have the choice of using a far more secure system for making face to face payments backed by a cheque guarantee card.
I always try to pay by cheque or cash and never use a cash machine.
Complain about this comment (Comment number 21)
Comment number 22.
At 11th Feb 2010, AdamW wrote:Ben (6:06pm): "However, given that this relies on the authorised by signature loop hole" - it doesn't, so far as I can tell. The story makes no mention of this being involved at all. The transaction is recorded as being authorized by PIN.
Jona (6:57pm): "So the fake card has to be connecteced with wires to the stolen card in the backpack."
No, it doesn't. The researchers used wires because they're cheap and simple to deal with. This was a proof-of-concept execution, they weren't actually trying to fool anyone, so there was no need to deal with the extra effort involved in setting up wireless communication from the fake card to the exploit rig in the backpack. There's probably no technical reason it couldn't be done wirelessly, though, and that's how you'd set up the connection if you actually wanted to use this exploit in the real world.
Yes, you have to steal the card before you can perform this attack. But the whole point of the chip-and-PIN system is supposed to be that your money can't be stolen even if your card is. If we didn't care about that, then there'd be no need to have PINs in the first place, all transactions would just be authorized as soon as the card was presented. It's called 'two-factor authentication' - something you have (the card), something you know (the PIN).
Complain about this comment (Comment number 22)
Comment number 23.
At 11th Feb 2010, Richard wrote:This is minor in comparison with the fact that you are entering your secret, your PIN, into what is effectively an untrusted device. Who knows what's in that little box the cashier hands you? They're not all the same. Some of them even have magnetic stripe readers so can gain a lot of information.
Then again, whenever you shop online you give out enough information for someone at the web site to use your card elsewhere. Some web sites have started asking for date of birth too. I refuse to shop at them, because that is becoming enough information for identity fraud.
What's needed is some form of one-time security device. PayPal have an interesting idea with their text messages to your registered phone so you need both password and phone to buy something.
Some say the attack mentioned here is not a problem because of the wires. This does not account for the attack being carried out by the shop staff, or a future implementation that does not need wires. The fact that the system is vulnerable to the "Man in the Middle" attack is the problem.
Complain about this comment (Comment number 23)
Comment number 24.
At 11th Feb 2010, Chris wrote:Whilst we are discussing the security of chip and pin cards does anyone know how secure the contactless cards are. Payments of up to £10 can be taken from a card by swiping it near a card reader. Is it possible an unscrupulous person carrying a portable reader could swipe it near your back pocket or handbag and extract funds. Even at less than £10 a time it could mount up to a considerably worthwhile sum after a day's swiping.
Complain about this comment (Comment number 24)
Comment number 25.
At 11th Feb 2010, Jemil wrote:Well done the Beeb for even rudimentarily pointing out how credit card fraud can be achieved!
Why don't you tell us a bit more about Anthropogenic Global Warming and how that science works?
Complain about this comment (Comment number 25)
Comment number 26.
At 11th Feb 2010, fezzer wrote:Can anyone here suggest an organisation that would be interested in hearing about a solution to combat credit card fraud? My solution relates to an existing device that will, with a little tweaking prevent credit card fraud at both POS and CNP transactions. This device is widely available and could completely replace the chip and pin, but as yet, has not been applied to this area of security. Any suggestions would be most appreciated?
Complain about this comment (Comment number 26)
Comment number 27.
At 11th Feb 2010, RLH1144 wrote:It is also worth pointing out that many countries outside of Europe do not have full chip and pin facilities. In South Africa for example, a debit card is often simply processed as a credit card so there is no requirement to enter a pin number, a signature is all that is required. Please bear this in mind when attending the World Cup and take care!!
Complain about this comment (Comment number 27)
Comment number 28.
At 11th Feb 2010, WhiteHeath wrote:Why not use cash?
Then there is no identity theft, no one using your card.
Complain about this comment (Comment number 28)
Comment number 29.
At 11th Feb 2010, andie99uk wrote:and after all we (as tax payers) have given the banks, they are still happy to let us be ripped off by thieves.
They don't care if we lose a couple of hundred £ a month, as long s they get their £38 a month for us going overdrawn.
The whole system is geared towards the banks amking money and putting one over the little person.
Chip & pin?
More like Chip & hope
Complain about this comment (Comment number 29)
Comment number 30.
At 11th Feb 2010, barriesingleton wrote:FEZZER SOLUTION (#26)
Possibly. Find my website and email or the Blog dog will come out of that kennel so fast . . .
Complain about this comment (Comment number 30)
Comment number 31.
At 11th Feb 2010, David wrote:This isn't that big an issue, yes it needs to be fixed, but if someone wants to steal from you, they will. There are millions of holes in microsoft (windows xp etc) software yet it's never in the news, it's miles easier to get into someones computer and steal their data and no-one would even know you were there. As it stands if someone steals your card they have all the details they need to shop online with it. All they have to do is send it to an address they have rented, max it out then move on. Chip and pin obviously wasn't "water tight" it's 4 digits long, i mean come on! Also i love how the beeb tells people how to do these things, it's great.
Complain about this comment (Comment number 31)
Comment number 32.
At 11th Feb 2010, David wrote:@ WhiteHeath
There's no ID theft there you're right, just normal good old face to face theft. Criminals get so impersonal don't they?
Complain about this comment (Comment number 32)
Comment number 33.
At 11th Feb 2010, John Collins wrote:4 digits is ridiculously short - only 10,000 options and you aren't allowed 1234 or 1111 etc so it's much less than that.
People should have the option to have up to 10 digits and the machine should ask for a different 3 of the digits each time.
And the "cash machine" PIN should be different from the "shopping" PIN.
Until then it's a sick joke.
The burden of proof has to be always on the banks to show they are secure or they must refund. Then they'll get it right.
Complain about this comment (Comment number 33)
Comment number 34.
At 11th Feb 2010, Dave425 wrote:Interestedly I had a bogus purchase made on my HSBC account for tickets on Ryanair, when I contacted Ryanair they said I need to take it up with my bank, I said don’t you need to know who is sitting in that seat as they are already a criminal and therefore could endanger your plane, there was a long pause and they said the would get back to me, I’m still waiting 3 mths later, luckily HSBC were quicker in paying back the money into my account.
Complain about this comment (Comment number 34)
Comment number 35.
At 11th Feb 2010, markbutterworth34 wrote:There will always be attempts to expose any weak link in security. A back pack with a laptop along and some wires is far fetched I agree and not a real security risk, but just wait until all this can be put into a single credit card like yours and me and then it will be a serious threat. Until the industry as a whole stops issuing low security, cheap cards and creditcard terminals stop accepting them this type of crime will always be possible.
Complain about this comment (Comment number 35)
Comment number 36.
At 11th Feb 2010, Eye Eye wrote:This comment was removed because the moderators found it broke the house rules. Explain.
Complain about this comment (Comment number 36)
Comment number 37.
At 11th Feb 2010, Darren Whittenham-Gray wrote:This might sound like a crazy idea, but why was fingerprint technology not used?
Fingerprints are relatively unique; so either standalone, or even combined with a PIN would surely be a step towards better security!
Complain about this comment (Comment number 37)
Comment number 38.
At 12th Feb 2010, Richard wrote:My corp amex has no chip. Some shops in the UK don't like the idea of me having to sign, as it's been drilled in that chip&pin is more secure. However, as one retailer put it "combined with my driving licence, this is the most secure way of confirming the tx".
The point is, my driving licence has a photo of me on it. So why can't we have photos on our bank cards - its one thing to know or trick a PIN, bit harder to have a matching face though!
Complain about this comment (Comment number 38)
Comment number 39.
At 12th Feb 2010, pengipete wrote:Why do organisiations insist on finding "clever" new was to identify us - numbers, fingerprints, bio-data - the list gets longer?
The last time I checked, a photo was a pretty safe way to identify a person so why not replace the bank logo hologram with a hologram of the card's owner. The cost of faking a hologram would put this sort of theft out of the reach of all but the most organised criminals and the time involved in creating a fake card would allow for more cards to be cancelled before mone was lost.
The face could be checked by a human operator or by a webcam and simple software - the sort that is already built in to many cameras.
We're not talking about an ID card here - just a simple process that doesn't try to be too clever.
Complain about this comment (Comment number 39)
Comment number 40.
At 12th Feb 2010, mrxavia wrote:not very surprising, chip & pin is not secure, but its better than the old system.
But what about this new contactless card, how long until criminals start cloning cards just by walking past people. Oh thats right, they already did the same thing with the new passports...
Complain about this comment (Comment number 40)
Comment number 41.
At 12th Feb 2010, Adrian wrote:You need to be a magician to carry out this attack.
The card will slide out of your sleeve (instead of you wallet) and using misdirection the cashier will not see wires attached to it which run up your sleeve and into your backpack.
What system is secure from that kind of abuse where you physically insert two wires into it and hook it up to a computer.
Complain about this comment (Comment number 41)
Comment number 42.
At 12th Feb 2010, Ironically wrote:This comment was removed because the moderators found it broke the house rules. Explain.
Complain about this comment (Comment number 42)
Comment number 43.
At 12th Feb 2010, Jim wrote:Never been happy wityh the system. The old system had to have you sign, if there was any doubt the signiture was confirmed as per the sample. The banks were responsible until it was proved that you signed.
Now with the old chip & Pin you are responsible for any and all transactions, until you prove otherwise.
It was just a way of securing the banks responsibilities away from the client, an unfair system with your money.
The proof came when a shop took 3 payments from my card on 2 different days, All for the same amount, the bank informed me that I could lodge a dispute, but I had given over my card therefor gave permission for the transactins and any further transactions the company may process.
Another ocassion when I bought a vidoe card on line, the card arrived with the package open inside and obvious signs that It had been a return, I tried it it did not work. I sent the card back only to be told by the company that the card had been stripped and its warrant voided, as such they deducted more money from my account for testing and postage, 1 week later! once more the bank said that I had autherised any and all transactions at any time because I had given over the card details. The card was then prooved by the manufaturer to have been a previous warranty claim, and should have been returned to them. Made no difference tot he company they still did not refund any money, the card was eventually replaced by the manufaturer, who even paid the postages!
I have been informed by the bank that the only way to ensure that a company cannot come and take any more money from the card, is for you to cancell the card after the transaction, they will issue a new card, and any further payments on the old card will be rejected.
Chip & PIN..... Stick it, bring back the old Sign for system.
Complain about this comment (Comment number 43)
Comment number 44.
At 12th Feb 2010, Laurence wrote:Sorry, but photos are not secure at all. How difficult would it be for a criminal gang (and they do work credit card fraud in gangs) to take a photo of you as well as steal your card? Not difficult at all. Then it would be simple to get the picture on the bluetooth/wireless dummy card before presenting it to pay for something - probably minutes after it has been stolen. This would not be difficult for the high-tech criminal gangs to do. After all they were able to make combined wireless card-readers and cameras that didn't look much out of place when placed on a cash machine to record card details (via the magnetic stripe) and pin (via the camera). Don't underestimate what criminals can do.
Complain about this comment (Comment number 44)
Comment number 45.
At 12th Feb 2010, TimmyNorfolk wrote:@ 17, 19 & 38:
Producing ID will work about as well as asking a cashier to check your sig. They will get complacent and not bother.
@ 33:
Having a 10 dig number might be a bit tricky for people like my grannie to remeber. Expecially when you start asking fro numbers 1, 5 & 7 or whatever
Complain about this comment (Comment number 45)
Comment number 46.
At 12th Feb 2010, Robin Hilliard wrote:I'm a director of an independent company which provides chip and PIN certification software and services to banks and other organizations worldwide and have been familiar with Professor Anderson and his work for many years (and have exchanged emails on a number of topics). While this work certainly appears important, it is likewise important that the claims he is making are not exaggerated. His comments in this article -- that this is the largest flaw that's been discovered in 25 years of electronic payment systems -- indicate to me that he is suspiciously close to doing so. Bear also in mind that technical experts were aware of his previous attacks before he was, and that, while he has talked at length about the economic forces that pushed the banks to implement Chip and PIN in the first place, he has not generally discussed the more fundamental trade-offs inherent in any payment system between the overall security of the system, and the usability of the system.
Regardless of this, let's have the details of this attack first, and then have technical experts other than the discoverer can evaluate its overall importance.
Complain about this comment (Comment number 46)
Comment number 47.
At 12th Feb 2010, Ironically wrote:I posted comment 42, in my opinion this comment did not break any written house rules, it was non defamitory and non offensive in any way and simply stated some facts about poor quality of equipment from payment terminal manufacturers having previously worked in the industry that would have been useful for the public to know (this post did NOT mention any individual or company names). However, the 91Èȱ¬ have removed this comment without explaination. Why? I think my comment would have been very useful for the public to be aware of, after all they pay for the service in one way or another at the end of the day. Open and honest journalism? Please re-instate the comment.
Complain about this comment (Comment number 47)
Comment number 48.
At 12th Feb 2010, Merkels Moneypouch wrote:The single biggest flaw in a chip & pin card is the mag-stripe present on the back. You would need a great deal more skill to implement this attack than simply cloning the map-stripe. Nonetheless, it is an exploit which needs fixing, albeit one with relevance only to stolen cards.
The problem has never been about signatures, as the vast majority of fraud is carried out with "cardholder not present" technology. Anyone saying go back to old-tech is a fix obviously does not understand the concept of money in the 21st Century.
The problem is always "how can you securely identify yourself to a computer." Give it a few decades, and I'm sure we'll be authorising payment with our own DNA/voice/iris scan. The technology to implement all three exists, it just needs to become commercially viable. Passwords and PINs just aren't secure enough for todays world.
Complain about this comment (Comment number 48)
Comment number 49.
At 12th Feb 2010, Steve S wrote:There are an awful lot of comments above this one involving "They would have to steal my card and use it before I reported it stolen."
Oh really ?
I cannot be the first one to think of the tech savvy criminals using a Chip reader/writer, can I ? When you give someone a card and they use one of those remote-terminal card machines, who's to say that it hasnt been modified so that it takes an image of the data on the chip ? Who's to say that there isn't something packetsniffing the transaction between the terminal and the bank ? They have your data now, however they got it, and as far as you are concerned, the card never left your wallet. You won't report it stolen - because you have it in your hand!
To beat these people, you have to think like these people. Sitting around and panicking about it now is too late - this has already been done to people I know - "verified by PIN" purchases of O2 mobile phone credit on his VISA card.... when he has a contract mobile phone from Vodafone.
Complain about this comment (Comment number 49)
Comment number 50.
At 12th Feb 2010, David Griffiths wrote:So ... who's the criminal here then? £5 for a bottle of water. No wonder the boys at Cambridge are looking for chip an PIN loopholes.
My second point: who is fooling whom? Watch the video again, closely this time. When the would-be crim enters the bogus PIN, the terminal display clearly shows that the card is a Visa card. Nothing surprising there, is there? Now look at the receipt. The receipt says that the card is a MasterCard - it's not obvious, but it's there. Look at the AID on the print out and notice the "4". For a Visa card, it would be a "3". Maybe you didn't spot it, but it is worth thinking about. Like everything else these guys do, it isn't always all that it seems!
I personally still feel safe, and I, like Ross Anderson, have also been doing this for 25 years!!!!
Complain about this comment (Comment number 50)
Comment number 51.
At 12th Feb 2010, Paul Freeman-Powell wrote:I would like to see my bank offering Chip and PIN cards that *DON'T* have a signature strip on the back. In the 21st Century, we still place far too much emphasis on proving who you are by writing your name on a bit of paper and hoping it "looks sufficiently similar" to another bit of paper with your name written on. I'm sorry, what?
I don't like the fact that someone could steal my cards and commit fraud by taking advantage of places still allowing you to sign for transactions instead of entering a PIN.
A chain is only as strong as its weakest link - and the fact that signing hasn't been completely banned means that the weaklist link is about as strong as a piece of dust, therefore the whole system is pretty pointless. OK, it's cut fraud and a PIN system is infinitely better than a "write your name in the same squiggly way every time" system, but they need to do it properly!
Additionally, all our credit cards should have photo ID printed on the cards. That would make a stolen card much less useable!
Complain about this comment (Comment number 51)
Comment number 52.
At 12th Feb 2010, Paul Freeman-Powell wrote:Edit to my previous comment: They should remove the mag strip as well as the signature strip.
Complain about this comment (Comment number 52)
Comment number 53.
At 12th Feb 2010, Ironically wrote:Right, lets try this one again (retry on comment 42) but to avoid any comments viewed to be defamatory or otherwise breaking house rules i'll write it as a fictional scenario below.
Lets say IF I used to work for a market leading chip and pin terminal company and IF maybe per chance I used to test a lot of quality and security based issues with them. It MAY or MAY NOT have been that many problems could have been raised on the quality, operation, interaction, useability and security weaknesses of the systems. It may also be the case in such a fictional scenario that these issues were known, discussed, accepted and the equipment shipped anyway. I'm guessing companies have to meet payment milestones in some cases to get paid right? of course this is only a fictional scenario but it could also be that systems maybe put out into retail points of sale with known bugs and a high percentage failing and then being sent back to the manufacturer to be refurbed. Who knows they may even reload the same software that failed before as software is a complex world right? it now works for now and you could then ship the terminal or pin pad again and charge a fee for refurb. I'm not saying this kind of things go on, I guess you'd need to ask the banks how many of their customers experience issues like that but is one possible theoretical scenario which could explain why maybe sales/performance driven companies may be tempted to consider quality and system design as a lower priority to shipping something, anything out.
maybe these kind of things go on in life?
all of the above is written as if it is a fictional scenario to fuel the debate, please leave this post uncensored to help the debate. ta.
Complain about this comment (Comment number 53)
Comment number 54.
At 12th Feb 2010, IGN wrote:I have a much more simpler, low-tech method. Stand behind someone in supermarket and you will see their pin then steal their wallet, run to the first cash-point and rob them blind.
Retailers are simply unable to provide customers with private enough space which would secure the pin upon entry. Security cameras routinely record your pin details every day which is another huge problem as you are exposing your pin regularly to strangers.
If someone steals money from you using your pin banks are going to put the blame on you squarely as it is your responsibility to keep your pin secure. I have a feeling that this shifting of responsibility to the customer is the main reason why banks have introduced this flawed system and that we will end up picking the bill for it in more ways then one.
Complain about this comment (Comment number 54)
Comment number 55.
At 12th Feb 2010, IrisGuard wrote:Using biometrics is the way forward. Iris recognition is being used in Cairo Amman Bank in Jordan by customers at ATMs without using any card or pin to draw cash. This is not a pilot, this is rolled-out and being used at hundreds of locations.
The following link explains the deployment:
The following link has the story as reported by 91Èȱ¬ Middle East Business Report:
This is the world's first bank to deploy Iris recognition in all its branches and on all its ATM machines. Needless to say, using Iris recognition proves the person's identity in ways that no card/pin or username/password is capable of.
Complain about this comment (Comment number 55)
Comment number 56.
At 12th Feb 2010, Andy wrote:It always makes me laugh when people claim Chip and PIN is flawless and tamperproof when from Day One of the scheme you have had to enter your PIN on unprotected keypads in shops across the country.
It is the easiest form of ID to steal. Watch someone enter their PIN, steal their card, spend, spend, spend. Even signatures are more secure than that.
In all the time this system has been around there are still no proper protection guards on keypads to allow even the few who want to try to hide their PIN the opportunity.
I reckon on any given day of the week, the average citizen could, if inclined to do so, note down around 5 PIN numbers of stranger's cards without any effort at all. And people think its foolproof.
Coupled with the fact that banks still think card fraud is a minor crime...... good grief.
Complain about this comment (Comment number 56)
Comment number 57.
At 13th Feb 2010, nyelvmark wrote:I think everyone here is missing the point. One of the major selling points of credit cards is that they have a built-in insurance system. If you buy something with a credit card, you can get the money back if the transaction turns out to be fraudulent.
This insurance system is not free - you pay for it in the ridiculous interest rates. As a result, banks are not really interested in the details of how the fraud was perpetrated - they're only interested in how much money they lose compared to their insurance premiums. It makes little difference whether the insurance company is a separate organisation or another division of the same bank. The only calculation necessary is "are we making, or losing money?"
It therefore does not surprise me that all of the banks that you spoke to dismissed the problem as: "We're the same as the competition". In short - the banks MANAGE fraud, calculating it as a predictable loss.
If just one bank somewhere could come up with a system which reduces fraud by 50%, they would have a competitive advantage, in that their insurance premiums would be lower, so they could offer lower interest rates on their credit cards. But in the real world, the technology is developed by the big banks (who are also their own insurance companies) and they don't see it as worthwhile to spend money on this.
It's about percentages of percentages, and how much real money is better technology worth? Especially when it's not the banks' money, but your money and my money at stake.
Complain about this comment (Comment number 57)
Comment number 58.
At 13th Feb 2010, Paul Freeman-Powell wrote:A couple of years ago I saw a news article about a supermarket (it may have been the Co-Operative, but I may be wrong...) which allowed its customers to register their bank details and their finger print with them, and then had fingerprint readers installed on the tills.
It was only a trial, but a great idea I thought. Why did it never take off?
I'd sign up straight away. In fact, the banks should let you opt to register your fingerprint and then we should gradually replace all the Chip+PIN machines with ones that also allow you to choose that method.
Obviously we'd still have to allow PINs for the paranoid obsessive types who seem to create and believe conspiracy theories about this, that and the other, refusing to tell anyone their name in case they get shipped off to Guantanamo Bay, etc. etc. but for the rest of us who just want to get on with our lives and take advantage of useful advances in technology - it would be good!
Complain about this comment (Comment number 58)
Comment number 59.
At 13th Feb 2010, Ralph wrote:So CHIP and PIN has been revealed to be unsafe - no surprise there! Only a question of time... The system seems to be fooled quite easily. Scary! Really?
What is actually new?
In the USA always, and increasingly also in Europe, I am handed back my credit card and pocket it BEFORE I sign the receipt. The attendant usually does not look at the signature. If I was brave enough I could sign with 'Donald Duck'.
In USA hotels they swipe the card when you arrive. No questions asked, no signature taken, no PIN entered. The night before you leave they slip the bill under your room door. You leave. Transaction done!
When paying for parking (e.g. at airports) or when buying a train ticket in a vending machine in many countrys you do not have to enter a PIN. Just swipe the card.
On the phone you tell the merchant your card number, expiry date and security code. So they have everything to use your card anywhere and as many times as they like.
In the UK some female test buyers successfully used cards issued to males and vice versa. Does anybody ever wonder why 'Miss XYZ' is wearing a full beard?
Question: Does any of the above suggest that the word 'SAFE' should be used in connection with cards at all?!?
And what do the banks do? They 'profile' us to spot fraudulent transactions. In real life this works as such:
Recently I booked flights for hundreds of pounds over the phone. Nothing happened. A few weeks later I got my card cancelled and my online account locked for buying a £1.50 Megabus ticket! For me this was a usual transaction, done many times before, while the flights weren't. When I bought £5 funfares on National Express, the alarm bells rang too! Different card from a different bank. Same with EasyBus and a third card. Where is the logic? Who bothers phoning them back after the third time in a row? Last month I bought very expensive jewellry with a brand new card. Went through straight away... Anybody bother explaining this to me?
Complain about this comment (Comment number 59)
Comment number 60.
At 14th Feb 2010, Graham Carter wrote:Surely it's up to the shops to make sure the customer doesn't have a wire attached to his card!
If shops check for suspicious wires, and cardholders report their cards stolen as soon as they notice, then the system is fairly secure. If use of a signature is stopped, as described by another poster, then this "loophole" is closed altogether.
Sorry, but I find this article to be sensationalist and unrealistic.
Complain about this comment (Comment number 60)
Comment number 61.
At 17th Feb 2010, Maddox wrote:Ross Anderson is a serial self-publicist, and you have to question the motives for widely publicising a flaw that is probably not widely known by fraudsters. And now they are further miniaturising their device - why? for what purpose?
No one in card payments would suggest that this or any other system is infallible - the annually reported fraud figures clearly suggest otherwise.
It cost several billion pounds to roll-out chip and PIN and it'll cost a lot more to upgrade it. Who will pay for this, first the banks, then the retailer and ultimately you. I wonder whom is going to benefit from this, perhaps a group of Cambridge boffins with a solution they want to see adopted?
Complain about this comment (Comment number 61)
Comment number 62.
At 17th Feb 2010, Alain Job wrote:I think so me of the contributors on this issue are underestimating the real safety issue of chip and Pin because they have never been victim and/or if they were, their money was probably returned to their bank accounts.If they could experience of someone getting hundred pounds of his hard earned money taken fraudulently from him and the effects on his day to day financial life, they would probably be talking in another way.If we have to believe the program,there seems to be an agreement within the banks that the system is not foolproof but still banks have been arguing consistently that someone complaining may have used his card or gave it to a third party to say he was negligent. maybe the contributor of post 46 and 50 will care to know that, in Job v Halifax where i was the victim, the Halifax bank still won the case even after admitting that they had destroyed the transactionas cryptograms which could have ascertained the card involved in the disputed transactions even if i notified them of my intention to complaint the next day i realised the fraud. It makes me wonder what evidences the banks put before the FOS for it to arrive to side with the bank in most cases that the baks have choosen to dispute; what is ironic is the fact that in a country like the united kingdom, we are unable to get the specific number of chip and pins frauds complaints, either from the banks, the FOS or the security services which makes it the more harder to understand on which basis other than alibi, Banks choose to reimburse some people and not others. That i was refused a legal aid certificate to have proper legal representation against a bank that had just been bailed by the tax payer is self telling and for the bank to stake up to £50.000.00 pounds to dispute a £2100 says it all! and none of you can share the financial nightmares Halifax plunged me into.
Complain about this comment (Comment number 62)
Comment number 63.
At 17th Feb 2010, Ayo wrote:This is indeed a serious flaw. The EMV compliance was enforced last year in Nigeria, now we are having this issue on our hands. I think it's time the whole architecture is rewritten or maybe we can adopt a new Technology. Is NET1 UEPS technology more secured?
Complain about this comment (Comment number 63)
Comment number 64.
At 18th Feb 2010, Laura Graham wrote:my santander debit and credit cards were stolen from my handbag in cheltenham early january. i cancelled my cards the next day as soon as i noticed they were missing. i was confident the thief could not use these cards because my pin number was secure. However the thief was able to withdraw £1200 from ATMs and purchase goods to the value of £12000 in Cheltenham, Leamington Spa and Coventry. Santander have shown no interest but to bombard me with telephone calls demanding that i repay the amount the thief overdrew on the credit card. santander do not answer my letters and telephone calls end up in call centres in UK and India. Their fraud department do not accept incoming calls. Where on earth do I go from here?
Complain about this comment (Comment number 64)
Comment number 65.
At 28th May 2010, willturner1 wrote:This comment was removed because the moderators found it broke the house rules. Explain.
Complain about this comment (Comment number 65)
Comment number 66.
At 5th Jul 2010, bowshirl wrote:We have recently been subjected to card fraud with our Post Office Mastercard, the card data can only have been stolen when we used a terminal at a London underground despite hiding our hand when entering the pin. The card remained in our possession during the 2 day trip but was fraudlently used that evening. Whilst we can prove that it cannot have been us, Mastercard are convinced that we must have authorised this transaction using the actual card & pin code and so are liable for the spend. Has anyone else had experience of this? The insist that this is the only possible explanation it can't be. I am interested to hear from anyone else who may be a victim of a similar event.
Complain about this comment (Comment number 66)
Comment number 67.
At 6th Jul 2010, Edred wrote:This comment was removed because the moderators found it broke the house rules. Explain.
Complain about this comment (Comment number 67)
Comment number 68.
At 15th Sep 2010, Steve wrote:I had my wallet stolen this morning. I reported the theft within one hour and yet my accounts have still had £550 removed from them at ATMs. I had no written record of my PINs and I haven't used my cards since the weekend, so I'm confident the PINs were not compromised by someone seeing me enter them.
The key to theft with this technology isn't stealing from shops, it's stealing from ATMs.
Complain about this comment (Comment number 68)
Comment number 69.
At 26th Sep 2010, U14623168 wrote:This comment was removed because the moderators found it broke the house rules. Explain.
Complain about this comment (Comment number 69)
Comment number 70.
At 15th Nov 2010, BobMcCallum wrote:Chip and Pin is not as secure as the banks let us believe. As a Fraud Investigator for Credit Card Refunds I have come across many cases where innocent people have had money taken from their account and the evidence clearly points to a third party using various devices to skim the card. Don't take all that the banks say about these cards being safe. The evidence I have seen and been involved tells me otherwise.
Complain about this comment (Comment number 70)
Comment number 71.
At 5th Jan 2011, miklyn2011 wrote:Forget chip and pin....it is now technologically flawed. Return to signatures BUT.... instead of signing the card, write "signature verification by photocard only" Make this an option, get the card issuer to print this requirement on the card, and force the retailer to pay for any unverified signature in case of dispute.
At some stage the issuers will be forced to properly protect the card usage by imposing and installing a SECURE system, ie, photograph of holder with signature included and retailers will have to be more responsible or pay for their negligence.
Chip and pin will remain an option for online or forgetful users, or for unmmanned cash points, with the associated current risks.
Complain about this comment (Comment number 71)
Comment number 72.
At 5th Jan 2011, edwardlobo wrote:This comment was removed because the moderators found it broke the house rules. Explain.
Complain about this comment (Comment number 72)
Comment number 73.
At 10th Jan 2011, Leslie Bowman wrote:As a small business man, I can tell you that crooks are doing very well thank you. It’s not that banks that are suffering with fraudulent transactions but the business who supply the card holder. Card holders are covered by some kind of insurance by the card insurer.
BUT Aren’t they the clever ones at Cambridge University. Now all the crooks around the world will be trying to uncover what they have discovered. Sometimes is best to keep your mouth shut, O clever one.
Complain about this comment (Comment number 73)