Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
EMV
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
===2010: Hidden hardware disables PIN checking on stolen card=== {{Wikinews|Chip and PIN 'not fit for purpose', says Cambridge researcher}} On 11 February 2010 Murdoch and Drimer's team at Cambridge University announced that they had found "a flaw in chip and PIN so serious they think it shows that the whole system needs a re-write" that was "so simple that it shocked them". A stolen card is connected to an electronic circuit and to a fake card which is inserted into the terminal ("[[man-in-the-middle attack]]"). Any four digits can be typed in and accepted as a valid PIN.<ref name=EMVPINverificationwedgevulnerability>{{cite web | author = Steven J. Murdoch |author2=Saar Drimer |author3=Ross Anderson |author4=Mike Bond | title = EMV PIN verification "wedge" vulnerability | publisher = Computer Laboratory, University of Cambridge | url = http://www.cl.cam.ac.uk/research/security/banking/nopin/ | access-date = 2010-02-12}}</ref><ref name=BBC201002>{{cite news |author=Susan Watts |url=https://www.bbc.co.uk/blogs/newsnight/susanwatts/2010/02/new_flaws_in_chip_and_pin_syst.html |work=BBC News |title=New flaws in chip and pin system revealed |date=11 February 2010 |access-date= 2010-02-12}}</ref> A team from the BBC's ''Newsnight'' programme visited a Cambridge University cafeteria (with permission) with the system, and were able to pay using their own cards (a thief would use stolen cards) connected to the circuit, inserting a fake card and typing in "0000" as the PIN. The transactions were registered as normal, and were not picked up by banks' security systems. A member of the research team said, "Even small-scale criminal systems have better equipment than we have. The amount of technical sophistication needed to carry out this attack is really quite low." The announcement of the vulnerability said, "The expertise that is required is not high (undergraduate level electronics). We dispute the assertion by the banking industry that criminals are not sophisticated enough, because they have already demonstrated a far higher level of skill than is necessary for this attack in their miniaturized PIN entry device skimmers." It was not known if this vulnerability had been exploited, but it could explain unresolved cases of claimed fraud.<ref name=BBC201002/> EMVCo disagreed and published a response saying that, while such an attack might be theoretically possible, it would be extremely difficult and expensive to carry out successfully, that current compensating controls are likely to detect or limit the fraud, and that the possible financial gain from the attack is minimal while the risk of a declined transaction or exposure of the fraudster is significant.<ref>{{cite web |title = Response from EMVCo to the Cambridge University Report on Chip and PIN vulnerabilities ('Chip and PIN is Broken' β February 2010) |publisher = EMVCo |url = http://www.emvco.com/documents/EMVCo_response_to_Cambridge_Report.pdf |access-date = 2010-03-26 |archive-url = https://web.archive.org/web/20100508040131/http://www.emvco.com/documents/EMVCo_response_to_Cambridge_Report.pdf |archive-date = 8 May 2010 |url-status = dead |df = dmy-all }}</ref> The Cambridge team disagrees: they carried it out without the banks noticing, with off-the-shelf equipment with some non-sophisticated additions. Less bulky versions could easily be made. The ones producing such equipment for the attack need not put themselves at risk, but can sell it to anybody via the Internet.<ref name=BBC201002/> When approached for comment, several banks (Co-operative Bank, Barclays and HSBC) each said that this was an industry-wide issue, and referred the ''Newsnight'' team to the banking trade association for further comment.<ref>{{cite web| last1=Susan| first1=Watts| title=New flaws in chip and pin system revealed (11 February 2010)| url=https://www.bbc.co.uk/blogs/newsnight/susanwatts/2010/02/new_flaws_in_chip_and_pin_syst.html |website=Newsnight|publisher=BBC|access-date=9 December 2015}}</ref> According to Phil Jones of the [[Which?|Consumers' Association]], Chip and PIN has helped to bring down instances of card crime, but many cases remain unexplained. "What we do know is that we do have cases that are brought forward from individuals which seem quite persuasive."{{citation needed|date=March 2020}} The attack uses the fact that the choice of authentication method is unauthenticated, which allows the man in the middle. The terminal asks for a PIN, gets it and gets the transaction confirmed by the card β which thinks it is doing a card-and-signature transaction, which could indeed succeed offline. It also works online, perhaps because of insufficient checks.<ref>{{cite web |url=https://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/ |title=Chip and PIN is broken |date=2010-02-11 |author=Ross Anderson |quote=Itβs no surprise to us or bankers that this attack works offline [...] the real shocker is that it works online too}}</ref> Originally, bank customers had to prove that they had not been negligent with their PIN before getting redress, but UK regulations in force from 1 November 2009 placed the onus on banks to prove that a customer has been negligent in any dispute, with the customer given 13 months to make a claim.<ref name=bankliable>{{cite news |author=Richard Evans |date=15 October 2009 |url=https://www.telegraph.co.uk/finance/personalfinance/consumertips/banking/6338659/Bank-payments-13-months-to-dispute-suspicious-transactions.html |archive-url=https://web.archive.org/web/20091021224314/http://www.telegraph.co.uk/finance/personalfinance/consumertips/banking/6338659/Bank-payments-13-months-to-dispute-suspicious-transactions.html |url-status=dead |archive-date=21 October 2009 |newspaper=The Telegraph |title=Card fraud: banks now have to prove your guilt |access-date=10 May 2015}}</ref> Murdoch said that "[the banks] should look back at previous transactions where the customer said their PIN had not been used and the bank record showed it has, and consider refunding these customers because it could be they are victim of this type of fraud."<ref name=BBC201002/>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)