New flaws in chip and pin system revealed

  seefuu1 15:41 12 Feb 10
Locked

click here



"Essentially what it does is to exploit a flaw in the chip and pin system. It makes the terminal think the correct pin has been entered, and the card think the transaction was authorised with a signature," Dr Saar Drimer, one of the Cambridge team, explained.

"At the end the receipt says 'verified by pin' so the bank is going to think the pin is entered directly, but the criminal actually did not know the pin."

  johndrew 16:15 12 Feb 10

The joy of technology. Just when it looks as if things are working well ........

Question is how to convince the bank after the loss/theft that you didn`t enter the PIN or give it to the user of the card. Looks like another long drawn out argument to prove it`s not your fault!!!

  Pine Man 16:16 12 Feb 10

All you need is to STEAL a card and BEFORE it is missed and stopped, use the SPECIAL SOFTWARE developed by Cambridge University to fool the bank.

I think I'll still sleep ok;-)

  oresome 17:35 12 Feb 10

I don't think it can be described as a flaw when it needs a backpack full of electronics, a modified credit card connected via a data cable and some clever software to defeat the system.

Nevertheless, fraud has increased substantially since the introduction of chip and pin, but I bet most of it is done using simpler methods than this one.

  jack 20:35 12 Feb 10

I have been 'done' at a garage twice in the past-
and it was the bank that got onto me to tell me.
All it needs is an 'insider' to fix a widget under the reader and a wireless lappie secreted on or off the premises.

  Forum Editor 01:25 13 Feb 10

is fix this vulnerability. There are ways they could upgrade the chip and pin system that would prevent this attack working for most of all the transactions that happen in the UK, not all but most,"

Well that's OK then - no need to worry. I imagine the banks all have teams working through the night on this.

  Forum Editor 01:30 13 Feb 10

"Question is how to convince the bank..."

Remember that in the event of a dispute it's up to your bank to prove that the transaction was verified by PIN, and to do so they would have to produce their data trail - the one that is generated by every card transaction. It's not good enough for them to simply say that the PIN was entered, and leave it at that.

  johndrew 10:33 13 Feb 10

I agree with your statement about the requirement placed on the banks. My problem is that I simply don`t trust a word they say in the first place so how can I believe they will follow the data trail or even tell the truth. Their business, demonstrably, is making money for themselves and looking after it; this doesn`t necessarily read across to their customers`money.

  Pine Man 11:23 13 Feb 10

My CC was cloned and I was screwed out of about £10,000. Before I even knew what was going on I was contacted by Capital One, my card was stopped, a new one was issued and the fraudulent amounts removed from my account.

There was no call for me to prove anything other than to complete a pro-forma statement at a later date confirming that the unlawful purchases were not mine.

  robin_x 01:25 16 Feb 10

I was done once and I am sure it was my local garage.

I dont have a huge number of places I use my debit card in.

They got £4,500 before the card was stopped.
(When it hit my overdraft limit)

Took 6 months and lots of letters and emails before it was all resolved. It was a right pain.

This thread is now locked and can not be replied to.

Sniper Elite 4 review: Headshotting Nazis has never felt so good

1995-2015: How technology has changed the world in 20 years

The Best Design, Illustration, Animation and VFX Awards of 2017

WWDC 2017 dates: How to get WWDC 2017 tickets, when is WWDC 2017 and more details announced