Chip and PIN credit card attack leaves banks on shaky ground according to one analyst, although oddly enough the banks appear to disagree.
Researchers at the University of Cambridge Computer Laboratory have revealed how the Chip and PIN credit card security system is flawed and left vulnerable to fraud. Steven Murdoch, Saar Drimer, Ross Anderson and Mike Bond, the researchers in question, have apparently tested the 'wedge' attack scenario against cards issued by most of the mainstream banks in the UK and found them all to be equally vulnerable.
Of course, this is not the first time that cards have been compromised. It was 18 months ago that I was reporting about chip and PIN protection being cracked like a rotten egg following the bust of a card skimming factory. But that required a foreign loophole to come in to play, and this new attack vector is different, much more direct and seemingly much more dangerous. More dangerous, even, than the Tesco supermarket chip and PIN machine tampering case I wrote about at the end of 2008.
Dr Drimer told Physorg that "The technical sophistication for carrying out this attack is low, and the compact equipment will not be noticed by shop staff. A single criminal can develop and industrialise a kit to be used by others who do not need to understand how the attack works".
That said, it isn't quite as straightforward as it might at first sound from that description. As I understand it, the wedge attack involves attaching a circuit board with a chip/transmitter (which can be concealed up your sleeve apparently) onto the chip on the credit card which allows the user to key any number into the PIN machine to gain authorisation. The user must also wear a backpack with a computer inside which does the necessary and sends a signal to the terminal, via the attached circuit board, that all is well.
The UK Cards Association, which acts as a trade body for the banks, told the Daily Mail that it did not believe the threat was a serious one, saying "We believe that this complicated method will never present a real threat to our customers cards".
However, Jay Abbott, a director at PricewaterhouseCoopers LLP, is not so sure. "Essentially, what the scientists have come up with is a very effective and simple way of exploiting weaknesses in the system" he explains, adding that he agrees that the fraud does require a very specific scenario to become effective. "A number of electronic components are involved that require concealment, therefore the fraudster must remain in contact with the card at all times. A simple process change by the retailer of asking for the card holder to hand over the card would break the circuit, although this possibility can be eliminated if the card reader is fixed to a point on the other side of the counter" Abbott says.
When it comes to the reaction of the banks, Abbott seems a little surprised, insisting that "At present, the customer is accountable for the fraud as banks argue that pin verified transactions are secure. Given this attack demonstrates a clear method of bypassing the pin system, this assertion by the banks stands on shakier ground".