14 February, 2010

PIN NO MORE A SECURITY MEASURE

A fatal flaw in the chip and PIN technology that is supposed to guarantee the security of millions of credit and debit cards has been identified by scientists.

The loophole means stolen cards can be used in shop terminals and bank cash machines without being identified, it is claimed.

In theory, thieves would be able to make purchases and cash withdrawals without needing to key in the four digit PIN or being detected.

The chip and PIN system became universal on Valentine's Day 2006, replacing the use of signatures to authorise purchases.

At the time banks said the introduction of the PIN system would reduce card fraud because even if a card was stolen it could not be used by a thief who did not know the number.

Card fraud did fall initially, however, the figure rose 43 per cent by the end of 2008 to £610million and is thought to have risen even higher last year.

Professor Ross Anderson, from the Cambridge University Computer Lab, has uncovered a number of ways in which the system can be beaten. However, he claims the latest discovery is shocking in its simplicity.

Prof Anderson claims the banks may now need to rewrite the security software around the entire chip and PIN system in order to make it fully secure.

The researchers discovered that a small circuit board containing a computer chip and transmitter can be attached to the chip on the plastic card and concealed up the sleeve.

This communicates with a computer stored in a backpack worn by the criminal when using the card at a till or cash machine.

When the user is asked for the four digit PIN to authorise the transaction, they only need to key in a random code.
The software attached to the card then signals to the till terminal that a correct PIN has been used.

'We think this is one of the biggest flaws that has ever been uncovered against the PIN system and I have been in this business for 25 years,' said Prof Anderson.

Details of the flaw were revealed on BBC's Newsnight programme last night. It showed how four different cards could be authorised for purchases in a Cambridge University canteen by using a fake PIN of 0000.

Consumer lawyer, Stephen Mason, told the programme: 'The loopholes in the chip and PIN system are serious and I don't think they have been properlyaddressed by the banks. They really have to think about this seriously.'

The introduction of chip and PIN brought with it a greater risk that victims of card fraud would have to carry the cost of any losses.

Some banks have refused to refund losses where they argued consumers had been careless with their cards or failed to keep their PIN a secret.

Prof Anderson added: 'The banks have been lying about the security of their systems and the industry regulators have been completely gullible.'

But the banks trade body, the UK Cards Association, denied the discovery was serious.

'We believe that this complicated method will never present a real threat to our customers cards,' it said.

0 comments: