Chip-and-pin credit card flaw exposed


Chip and PIN flaw exposedResearchers uncovered flaws in chip and PIN technology that could enable fraudsters to use stolen credit cards without the correct PINs.

A team at the University of Cambridge discovered that criminals may be able to trick the chip and PIN terminal into thinking the user's pin has been correctly verified, even though a completely different four-digit number has been entered. This means that the transaction can go ahead, with the receipt stating the PIN has been approved.

Ross Anderson, professor of security engineering in the university's Computer Laboratory, commented: "Over the past five years, thousands of cardholders have had stolen chip and PIN cards used by criminals. The banks often tell customers that their PIN was used and so it's their fault.

"Yet we've shown that it's easy to use a card without knowing the PIN -- and the receipt will say the transaction was 'Verified by PIN' even though it wasn't."

The UK Cards Association has dismissed the claims, however, insisting that the method is too "complicated" to present a real threat.

A spokeswoman for the association observed: "It requires possession of a customer's card and unfortunately there are much simpler ways to commit fraud under these circumstances at much less risk to the criminal."

In a further attempt to reassure credit card holders, the spokeswoman revealed that the association will soon publish figures showing that card fraud has fallen to its lowest level for 20 years.ADNFCR-2308-ID-19613635-ADNFCR

Published: 16 February 2010