New flaws in chip and pin system revealed

  seefuu1 15:41 12 Feb 2010

click here

"Essentially what it does is to exploit a flaw in the chip and pin system. It makes the terminal think the correct pin has been entered, and the card think the transaction was authorised with a signature," Dr Saar Drimer, one of the Cambridge team, explained.

"At the end the receipt says 'verified by pin' so the bank is going to think the pin is entered directly, but the criminal actually did not know the pin."

  johndrew 16:15 12 Feb 2010

The joy of technology. Just when it looks as if things are working well ........

Question is how to convince the bank after the loss/theft that you didn`t enter the PIN or give it to the user of the card. Looks like another long drawn out argument to prove it`s not your fault!!!

  Pine Man 16:16 12 Feb 2010

All you need is to STEAL a card and BEFORE it is missed and stopped, use the SPECIAL SOFTWARE developed by Cambridge University to fool the bank.

I think I'll still sleep ok;-)

  oresome 17:35 12 Feb 2010

I don't think it can be described as a flaw when it needs a backpack full of electronics, a modified credit card connected via a data cable and some clever software to defeat the system.

Nevertheless, fraud has increased substantially since the introduction of chip and pin, but I bet most of it is done using simpler methods than this one.

  jack 20:35 12 Feb 2010

I have been 'done' at a garage twice in the past-
and it was the bank that got onto me to tell me.
All it needs is an 'insider' to fix a widget under the reader and a wireless lappie secreted on or off the premises.

  Forum Editor 01:25 13 Feb 2010

is fix this vulnerability. There are ways they could upgrade the chip and pin system that would prevent this attack working for most of all the transactions that happen in the UK, not all but most,"

Well that's OK then - no need to worry. I imagine the banks all have teams working through the night on this.

  Forum Editor 01:30 13 Feb 2010

"Question is how to convince the bank..."

Remember that in the event of a dispute it's up to your bank to prove that the transaction was verified by PIN, and to do so they would have to produce their data trail - the one that is generated by every card transaction. It's not good enough for them to simply say that the PIN was entered, and leave it at that.

  johndrew 10:33 13 Feb 2010

I agree with your statement about the requirement placed on the banks. My problem is that I simply don`t trust a word they say in the first place so how can I believe they will follow the data trail or even tell the truth. Their business, demonstrably, is making money for themselves and looking after it; this doesn`t necessarily read across to their customers`money.

  Pine Man 11:23 13 Feb 2010

My CC was cloned and I was screwed out of about £10,000. Before I even knew what was going on I was contacted by Capital One, my card was stopped, a new one was issued and the fraudulent amounts removed from my account.

There was no call for me to prove anything other than to complete a pro-forma statement at a later date confirming that the unlawful purchases were not mine.

  robin_x 01:25 16 Feb 2010

I was done once and I am sure it was my local garage.

I dont have a huge number of places I use my debit card in.

They got £4,500 before the card was stopped.
(When it hit my overdraft limit)

Took 6 months and lots of letters and emails before it was all resolved. It was a right pain.

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Dell XPS 13 9370 (2018) review

Creative studio Omnibus' brand identity for We Said Enough, a non-profit against sexual misconduct

What to ask Siri on the HomePod

Meilleurs VPN (2018)