“Chip and PIN” System Has a Gaping Security Hole
Security researcher Ross Anderson and his colleagues have determined that “Chip and PIN”–the security system used for debit transactions in Europe and parts of Canada–has a fundamental design flaw that allows thieves to use a stolen card without knowing the user’s PIN:
The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it’s doing a chip-and-signature transaction while the terminal thinks it’s chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists’ cards. The transactions went through fine and the receipts say “Verified by PIN”.
This attack is both academically and practically significant. We get reports weekly from different victims of phantom withdrawals, and these include large numbers of stolen cards used to make purchases in the window between theft and the cancellation of the card. Currently these victims are denied refunds by their banks, but this attack could explain some of the frauds we are seeing. The fact the receipt says “PIN Verified” when actually it wasn’t raises a whole load of legal and evidential questions which call into question the banking industry’s claim that their systems work (and log) properly. Merchants will be none too pleased either; the system no longer protects their interests but only those of the issuing bank.
You can read the paper online here, which will be presented at the IEEE Symposium on Security and Privacy later this year. This system isn’t used here in the United States, but there’s been some pressure to move in the direction of this system. Personally, I think that banks here might consider a more secure system.