Chip and PIN system proven to be flawed

By EDRi · February 24, 2010

This article is also available in:
Deutsch: [Chip- und PIN-System bewiesenerma├čen fehlerhaft | http://www.unwatched.org/node/1727]

According to a research performed by a group of experts from the Computer
Laboratory, of Cambridge University, the Chip and PIN system is flawed,
allowing criminals to use stolen credit and debit cards, without knowing the
correct PIN.

The thieves can easily create a device to modify and intercept
communications between a card and a point-of-sale terminal, and making the
terminal believe the PIN was correctly verified when actually any PIN could
be introduced and the transaction would be accepted.

“The flaw is that when you put a card into a terminal, a negotiation takes
place about how the cardholder should be authenticated: using a PIN, using a
signature or not at all. This particular subprotocol is not authenticated,
so you can trick the card into thinking it’s doing a chip-and-signature
transaction while the terminal thinks it’s chip-and-PIN. The upshot is that
you can buy stuff using a stolen card and a PIN of 0000 (or anything you
want). We did so, on camera, using various journalists’ cards. The
transactions went through fine and the receipts say “Verified by PIN,” said
Professor Ross Anderson, one of the researchers.

The attacks can be successful for cards used online (a merchant POS
contacting the bank) and offline, for any amounts of money and to bank
schemes based on EMV (Europay, MasterCard, Visa). They would not work on
ATMs and with cards that have already been cancelled by the bank.

The research conclusion is that the attacks are possible due to “a lack of
authentication on the PIN verification response, coupled with an ambiguity
in the encoding of the result of cardholder verification as included in the
TVR (Terminal Verification Results)”.

The main problem is that banks refuse to refund victims of this type of
attacks because they state that a card cannot be used without the correct
PIN which, as the paper shows is not true.

“This is not just a failure of bank technology. It’s a failure of bank
regulation. The ombudsman supported the banks and the regulators have
refused to do anything. They were just too eager to believe the banks,”
stated Anderson.

Chip and PIN is broken (11.02.2010)

Chip and PIN is broken

Chip and PIN is Broken (draft for the 2010 IEEE Symposium on Security and
Privacy (draft)
http://www.cl.cam.ac.uk/research/security/banking/nopin/oakland10chipbroken.pdf

Cambridge researchers show that the Chip and PIN system is vulnerable to
fraud (11.02.2010)
http://www.cl.cam.ac.uk/research/security/banking/nopin/press-release.html

Chip and pin card readers fundamentally flawed (11.02.2010)
http://www.telegraph.co.uk/science/science-news/7215920/Chip-and-pin-card-readers-fundamentally-flawed.html

Chip and PIN is broken, say researchers (11.02.2010)
http://news.zdnet.co.uk/security/0,1000000189,40022674,00.htm