Support NeoGAF

[operon]

'Flaw' in chip and PIN 'means thieves can use cards without needing security code'​

​

A fatal flaw in the chip and PIN technology that is supposed to guarantee the security of millions of credit and debit cards has been identified by scientists.
The loophole means stolen cards can be used in shop terminals and bank cash machines without being identified, it is claimed.
In theory, thieves would be able to make purchases and cash withdrawals without needing to key in the four digit PIN or being detected.
The chip and PIN system became universal on Valentine's Day 2006, replacing the use of signatures to authorise purchases.
At the time banks said the introduction of the PIN system would reduce card fraud because even if a card was stolen it could not be used by a thief who did not know the number.
Card fraud did fall initially, however, the figure rose 43 per cent by the end of 2008 to £610million and is thought to have risen even higher last year.
Professor Ross Anderson, from the Cambridge University Computer Lab, has uncovered a number of ways in which the system can be beaten. However, he claims the latest discovery is shocking in its simplicity.
Prof Anderson claims the banks may now need to rewrite the security software around the entire chip and PIN system in order to make it fully secure.
The researchers discovered that a small circuit board containing a computer chip and transmitter can be attached to the chip on the plastic card and concealed up the sleeve.
This communicates with a computer stored in a backpack worn by the criminal when using the card at a till or cash machine.
When the user is asked for the four digit PIN to authorise the transaction, they only need to key in a random code.

The software attached to the card then signals to the till terminal that a correct PIN has been used.
'We think this is one of the biggest flaws that has ever been uncovered against the PIN system and I have been in this business for 25 years,' said Prof Anderson.
Details of the flaw were revealed on BBC's Newsnight programme last night. It showed how four different cards could be authorised for purchases in a Cambridge University canteen by using a fake PIN of 0000.
Consumer lawyer, Stephen Mason, told the programme: 'The loopholes in the chip and PIN system are serious and I don't think they have been properlyaddressed by the banks. They really have to think about this seriously.'
The introduction of chip and PIN brought with it a greater risk that victims of card fraud would have to carry the cost of any losses.

Some banks have refused to refund losses where they argued consumers had been careless with their cards or failed to keep their PIN a secret.
Prof Anderson added: 'The banks have been lying about the security of their systems and the industry regulators have been completely gullible.'
But the banks trade body, the UK Cards Association, denied the discovery was serious.
'We believe that this complicated method will never present a real threat to our customers cards,' it said.

Source Daily Fail

Is this more daily fail nonsense or can this be actually used

 

[TheUglyDrunk]

Umm, you can already swipe a debit card as a credit transaction and not have to enter a PIN at all. PINs are about as worthless as WEP keys.

 

[Skilotonn]

Well good job on detailing the problem Daily Mail, including an ideal setup in how to do this, WITH illustration no less!

 

[yankeeforever2]

This has been a problem for a long time, along with other problems, we need to start using public and private keys soon.

 

[AlexMogil]

Easy money!

 

[Alx]

If the card has to be linked to a backpack, it's easy to find a way to avoid this fraud scenario : just require the cashier to insert the card himself (like they do in half the shops already).

 

[OrangeYouGlad]

Maybe INTERAC has made it policy in Ontario, but every time I've been told I need to use the chip, they take my card and insert it. Most places refuse to let me do it.

 

[Wes]

I fail to see the connection to the BBC in this article.

Oh wait, I see the Newsnight bit now. Keep it up Daily Mail. (Even if the mention is almost complementary? All press is bad press?)

 

[daw840]

It's just like John Connor in T2!!!

 

[cartoon_soldier]

We need to start using Cash and dump the Plastic.

 

[Javaman]

It's just like John Connor in T2!!!

I was thinking the exact same thing.

 

[msv]

That sucks. Guess I'll have block the card really quick next time I lose it.

 

[TheExodu5]

So the pin is only validated through the card? Why is there no server-side validation for the pin?

 

[Tritroid]

Well good job on detailing the problem Daily Mail, including an ideal setup in how to do this, WITH illustration no less!

Yeah, the news media is full of such brilliance, always has been. I remember back after 9/11 and the height of the terrorism scare some channels would show how to build a home-made bomb.

humanity at its finest.

 

[TheUglyDrunk]

Hmm, didn't realize it was a Brit article. I use my fiance's debit card all the time (in the States) and I don't know her pin, I just run it as a credit transaction, and I never have to enter one. Funny thing is, I still sign for the transaction, I'm not a signer on her account, and her credit union has never said shit.

 

[Mattlikewhoa]

Well good job on detailing the problem Daily Mail, including an ideal setup in how to do this, WITH illustration no less!

THIS!

 

[operon]

Well good job on detailing the problem Daily Mail, including an ideal setup in how to do this, WITH illustration no less!

now all we need is the blueprint for the device and the source code and we're in the money

 

[SmokyDave]

So cancel your cards when you lose them? Just common sense really.

 

[mf.luder]

Maybe INTERAC has made it policy in Ontario, but every time I've been told I need to use the chip, they take my card and insert it. Most places refuse to let me do it.

Could be but a lot of shops have the device locked on the counter nearest you, and the clerk would have to almost climb over the counter to use it.

I agree that they should enforce clerks inserting the cards, it seems like an easy way to prevent most of this. But the device would need to be movable to lower WSIB claims.

 

[D4Danger]

So cancel your cards when you lose them? Just common sense really.

I've found a flaw in your plan

 

[zou]

So cancel your cards when you lose them? Just common sense really.

Except that's the first thing any system always needs to address. Many people aren't that "smart".

 

[Keylime]

...so not only does someone have to steal your card...but they need to have one of these computer backpacks on with a wire running down their sleeve?

Come on, man...how many people are going to have the where-with-all to do that shit?

It's a problem, sure, but let's not pretend (not saying anyone here is) that this is a big threat to consumers or something.

...I mean everyone assumes that if you lose your credit card you should cancel it or expect someone to find it and use it...so all this really does is give you another reason to make sure you cancel your card if you lose it.

Who gives?!

 

[-x.Red.x-]

Well good job on detailing the problem Daily Mail, including an ideal setup in how to do this, WITH illustration no less!

I was looking down on where to buy this so-called device.
:lol

 

[operon]

...so not only does someone have to steal your card...but they need to have one of these computer backpacks on with a wire running down their sleeve?

Come on, man...how many people are going to have the where-with-all to do that shit?

It's a problem, sure, but let's not pretend (not saying anyone here is) that this is a big threat to consumers or something.

...I mean everyone assumes that if you lose your credit card you should cancel it or expect someone to find it and use it...so all this really does is give you another reason to make sure you cancel your card if you lose it.

Who gives?!

This definetly must a big problem or the Daily Mail wouldn't write about it, sure they couldn't be making out its worse than it is right right:lol

 

[Gamejunky]

I just had 400 dollars stolen out of my account by someone copying my card. Don't know if this is the same thing but at least my bank had fraud protection and i'm 100% covered.

 

[dreamcastmaster]

Why have a "computer backpack" when you can have a pocket sized netbook? :lol

 

[RickD]

I just had 400 dollars stolen out of my account by someone copying my card. Don't know if this is the same thing but at least my bank had fraud protection and i'm 100% covered.

Criminals in the UK usually use Fake ATM fronts with a card scanner and camera. It scans your card details and records you entering your PIN.

Then they clone the card, there is no need for this Backpack stuff.

 

[LizardKing]

Could be but a lot of shops have the device locked on the counter nearest you, and the clerk would have to almost climb over the counter to use it.

I agree that they should enforce clerks inserting the cards, it seems like an easy way to prevent most of this. But the device would need to be movable to lower WSIB claims.

a lot of places even have the reader device in a self checkout or places without cashiers in addition to out of reach of the cashier. at least they do in the US. they need to fix the glitch

 

[Garjon]

...so not only does someone have to steal your card...but they need to have one of these computer backpacks on with a wire running down their sleeve?

Come on, man...how many people are going to have the where-with-all to do that shit?

It's a problem, sure, but let's not pretend (not saying anyone here is) that this is a big threat to consumers or something.

...I mean everyone assumes that if you lose your credit card you should cancel it or expect someone to find it and use it...so all this really does is give you another reason to make sure you cancel your card if you lose it.

Who gives?!

This is true, there are so many ways to obtain and copy someone's card details that this is kinda meaningless. Hell, a petrol station near my house was shut down after it was found out the employees were being paid to copy cards