Out-Law News 2 min. read
12 Feb 2010, 3:59 pm
The Cambridge University researchers claim that the breakthrough undermines the security systems employed to protect chip and PIN payments, but the trade body for the payments card industry says that the hack is too complex to pose a real threat.
The researchers say that the hack could affect consumers' ability to be refunded for the losses caused by the breaking of the banks' security technology.
A spokeswoman for the UK Cards Association accepted that the breach is genuine but told OUT-LAW.COM that it is not a real threat because there are easier ways to abuse a stolen card.
"It is feasible, there is no doubt about it, but why would someone commit fraud in this way? They could just use the card for online transactions and get goods that way without the PIN," she said. "There is a tiny window in which to use it before card gets reported lost and stolen. As a fraud, there are easier ways to commit fraud."
Researchers Steven Murdoch, Saar Drimer, Ross Anderson and Mike Bond of the Cambridge Computer Laboratory discovered the technique, which uses a fake card connected to a computer which fools the chip on the card into approving the transaction. The payment terminal thinks it has received a valid PIN regardless of the number typed into its keypad.
"We have tested this attack against cards issued by most major UK banks. All have been found to be vulnerable," said Murdoch.
"The technical sophistication for carrying out this attack is low, and the compact equipment will not be noticed by shop staff," said Drimer. "A single criminal can develop and industrialise a kit to be used by others who do not need to understand how the attack works."
The Laboratory said that the exploit could cause problems for normally-protected card holders.
"Victims of this attack may have a difficult time being refunded by their bank," said a statement from the Laboratory. "The receipt produced will state 'Verified by PIN', and bank records will show that the correct PIN was used. Banks may then argue that the customer must have been negligent and had allowed the criminal to know their PIN."
The UK Cards Association claimed, though, that it could examine the transaction after the fact and determine whether the correct PIN had been used.
The Association spokeswoman said that the exploit fools the chip on the card and not the systems that lie behind the retailer's terminal. That system will have stored the fact that the wrong PIN has been entered but that will not be checked in a 'live' transaction, she said. She said that this can be checked as soon as a transaction has been identified as suspect.
The issue of whether or not the hack can be discovered after the fact is crucial because it affects whether or not consumers will be liable for criminals' spending. Anderson said that consumers should not be liable for something that is the fault of a technology failure.
"Over the past five years, thousands of cardholders have had stolen chip and PIN cards used by criminals," he said. "The banks often tell customers that their PIN was used and so it's their fault. Yet we've shown that it's easy to use a card without knowing the PIN – and the receipt will say the transaction was 'verified by PIN' even though it wasn't."
"This is not just a failure of bank technology. It's a failure of bank regulation," said Anderson. "The ombudsman supported the banks and the regulators have refused to do anything. They were just too eager to believe the banks."
The researchers will present their findings at security conference the IEEE Symposium on Security and Privacy in California in May.
