Professor Ross Anderson from the Cambridge University Computer Laboratory has shown how crooks can now successfully use a card without knowing the PIN.
It turns out that the system that the card reader uses to communicate with the card to determine whether the PIN is correct or not is not itself authenticated. This makes it relatively easy to trick the card reader into thinking that any random four number PIN is the correct one.
This has obviously serious repercussions for anyone who has their card stolen.
This system works whether the card reader is on or offline to the provider.
There is usually a very short window between the card being stolen and the user cancelling it. But if a card is used in this time and the purchase is verified by PIN the card provider assumes it was the user, not the thief and so do not refund the money. That, after all, was the purpose of chip and pin.
This has been known about for several months and Steven Murdoch blogged about it on ‘Light Blue Touchpaper’ last August.
All that has to be done is for the card reader to receive a ‘yes’ answer from the card that the PIN is correct. It appears that there is more than one way of doing this.
According to Professor Anderson it will take a whole re-write of the security protocols to make this system secure. A system that was once heralded as the way to eliminate card crime.
This was demonstrated on Newsnight last night and should be ringing alarm bells with all users. The banks will now also be at serious risk from some card users who see a way of getting free goods. The banks trade body, the UK Cards Association has denied that this is a serious matter.
Now that the police defer all card crime to the providers to sort out or report, we can see the costs of any increase in card crime being passed on. This willof course be in the normal form of bank charges, higher interest rates for borrowers and lower returns for savers. Fraud for the card providers is a zero sum game. Why invest in more technology when the unsuspecting users will pick up the tab without affecting profits?