Is the alarm over chip and PIN justified?


Is the alarm over chip and pin justified?The publication of research conducted by a team from the University of Cambridge's Computer Laboratory has prompted concerns about the safety of chip and PIN technology. The extent to which this concern is justified, however, is still a matter of debate. While the authors of the report insist the findings are "academically and practically significant," others, including a spokeswoman for UK Payments, are not so sure.

What the Cambridge researchers found
In a feature for BBC Newsnight, which aired on Thursday, Feb. 11, research team members Steven Murdoch, Saar Drimer, Mike Bond and Ross Anderson were able to demonstrate a chip and PIN technology flaw that provides fraudsters with a window of opportunity to use credit cards without knowing the correct PIN. The fault centres on an option at the start of a chip and PIN transaction that allows cardholders to choose whether their payment is authenticated using a PIN, a signature or not at all. The researchers were able to show on camera how a terminal can be tricked into thinking the transaction is being authenticated using a PIN, while the card thinks the chip and signature option has been chosen. Crucially, this means that receipts say "verified by PIN," which could potentially pose a problem for fraud victims who subsequently try to secure refunds from their banks. This is because banks do not acknowledge that this type of fraud is possible. Speaking on the programme, Professor Anderson said the study highlights "one of the biggest flaws that has ever been uncovered against payment systems."

Does this automatically translate to an increased risk of fraud?
However, Jemma Smith, head of public relations at information website UK Payments, believes the risk of fraud is being overplayed. While she admits the Cambridge study has uncovered a feasible loophole which could be exploited by criminals, she suggests fraudsters are more likely to take the easy option. "As it stands, there is no evidence at all which suggests this kind of fraud is being committed," Ms Smith commented. "Primarily this is because, sadly, there are more simple ways to undertake fraud." As such, the main focus should continue to be on preventing the use of stolen cards to buy goods online, Ms Smith believes.

Calls for further research
Figures released by Financial Fraud Action UK in October last year show credit card fraud losses fell by 23% in the first half of 2009, with the body's head of fraud control Katy Worobec suggesting that this downward trend is in part due to the introduction of chip and PIN technology. While Which? principal researcher Martyn Saville agrees with this sentiment, he has nevertheless made the call for more research to be conducted into the possibility of a flaw in order to convince consumers that the system is still the best way of preventing credit card fraud.

Published: 18 February 2010