Slashdot Mirror

← Back to Stories (view on slashdot.org)

European Credit and Debit Card Security Broken

Posted by timothy on from the pounding-marks-for-euros dept.

Jack Spine writes "With nearly a billion users dependent on smart banking credit and debit cards, banks have refused liability for losses where an idenification number has been provided. But now, the process behind the majority of European credit and debit card transactions is fundamentally broken, according to researchers from Cambridge University. The researchers have demonstrated a man-in-the-middle attack which fooled a card reader into accepting a number of point-of-sale transactions, even though the cards were not properly authenticated. The researchers used off-the-shelf components (PDF), and a laptop running a Python script, to undermine the two-factor authentication process on European credit and debit cards, which is called Chip and PIN."

4 of 245 comments (clear)

  1. Not really surprising... by davebert · · Score: 4, Insightful

    Chip & Pin has never been about minimising fraud - it's about pushing the responsibility from the banks onto the customers. And they're doing the same thing with the ridiculous Verified By Visa programme which just trains people to fall for phishing scams.

  2. Re:Chip and Chip security... wait a second! by spun · · Score: 4, Insightful

    It seems this system was designed expressly to limit bank's liability by providing the illusion of security. "Oh, fraudulent charges, are they? But you entered your PIN... Can you prove your PIN was compromised? no? Tough then, pay up."

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  3. Re:We Already Know This by russotto · · Score: 4, Insightful

    Chip and pin is definitely better then card swipe, or card swipe and pin.

    Card swipe and PIN appears to be better. While I can easily copy a card, there's no way I can manufacture a card which will work with any PIN.

    The only problem is the banks are treating the increase in security as absolute security, and refusing to handle any fraud concerning a chip and pin transaction.

    This is one of the areas where the US is actually ahead of the game. For credit cards, there's $50 liability maximum for the cardholder. For ATM/debit cards, it's also $50 if you notify them within 2 days, but $500 if you notify them within 60 days, of finding out about it. They can't just say "Impossible" and have you jailed for having the temerity to claim a charge was fraudulent (as has happened in the UK).

  4. APACS rumbled - all scarper by dugeen · · Score: 4, Insightful

    The idea of forcing people to enter PINs into any machine controlled by a retailer was ridiculous from day one - the supposed extra security of Chip & Fraud was merely a way for the banks to transfer liability for fraud to the customer. (Happily the FSA has now forbidden them to do this unless they have actual genuine proof that the customer gave away their PIN - well done guys, springing into action after only 4 years of complaints).