Chip & PIN not safe from fraud

27 February 2008

Chip & PIN machines do not adequately protect shoppers' account details leaving millions at risk of fraud, a new report claims.

Professors from the University of Cambridge rubbish industry claims that Chip & PIN machines are secure from fraud. Their research found that fraudsters are able to tap into pin entry devices (PEDs) and record an individual’s account details.

This information allows them to create counterfeit cards and withdraw cash abroad where signatures are still allowed.

Saar Drimer, one of the researchers at the University of Cambridge computer laboratory that carried out the research, said that criminals would not need to be technically sophisticated in order to carry out an attack on a Chip & PIN machine.

He added: “The vulnerabilities we found were caused by a series of design errors by the manufacturers. They can be exploited because Britain's banks set up the Chip & PIN in an insecure way… A villain who taps this gets all the information he needs to make a fake card, and to use it.”

The report says widely deployed models of PEDs are failing to protect customers' card details and PINs adequately despite being certified by Visa and APACS as secure.

Ross Anderson, professor of Security Engineering at Cambridge, said: “The lessons we learned are not limited to banking. Other fields, such as voting machines and electronic medical record systems, suffer from the same combination of stupid mistakes, sham evaluations and obstructive authorities.”

Anderson is now calling on APACS and Visa to publish their evaluation of the security of Chip & PIN machines.

APACS doesn’t dispute the dangers of Chip & PIN fraud but says that the risk is low.

Sandra Quinn, director of communications at APACS, said: “There are easier and cheaper ways to commit fraud. Chip & PIN is safer than signatures – in fact, if we still had people signing for card payments then fraud would probably hit £1 billion this year. As it is, retail fraud has reduced since Chip & PIN was introduced.”

Chip & PIN was introduced in the UK in February 2005 meaning an end to transactions when magnetic strips on the back of cards and a signature were used for verification.

However, one reason why fraud is still possible with the Chip & PIN system is that many countries still use magnetic strip ID. Fraudsters are therefore able to produce counterfeit cards in the UK that can be used abroad.

Quinn added that until all countries adopt Chip & PIN then fraudsters will be able to find loopholes in its security.

Protect your card from Chip & PIN fraud

Anderson says that banks are responsible for doing more to prevent attacks on shoppers. He believes that more sophisticated card design, to prevent interception, is needed. Blocking magnetic strip transactions could reduce the chances of fraud, but this would also prevent people from using their cards in many overseas countries.

As a consumer there is not much you can do to prevent fraudsters getting your details via Chip & PIN machines.

However, Anderson says that recently launched iCVV compliant cards are less vulnerable to fraud. You would need to contact your bank to see if they will re-issue your card.

Add new comment