Slashdot Mirror

← Back to Stories (view on slashdot.org)

European Credit and Debit Card Security Broken

Posted by timothy on from the pounding-marks-for-euros dept.

Jack Spine writes "With nearly a billion users dependent on smart banking credit and debit cards, banks have refused liability for losses where an idenification number has been provided. But now, the process behind the majority of European credit and debit card transactions is fundamentally broken, according to researchers from Cambridge University. The researchers have demonstrated a man-in-the-middle attack which fooled a card reader into accepting a number of point-of-sale transactions, even though the cards were not properly authenticated. The researchers used off-the-shelf components (PDF), and a laptop running a Python script, to undermine the two-factor authentication process on European credit and debit cards, which is called Chip and PIN."

2 of 245 comments (clear)

  1. Re:Chip and Chip security... wait a second! by shentino · · Score: 4, Interesting

    The problem is that the server storing your account information is trusting the terminal.

    If the terminal can get away with trusting the signal it's getting from the card, then it's actually possible for a counterfeit terminal to rob you without even having the card.

  2. Re:Noviant Haydont by CrashandDie · · Score: 4, Interesting

    The Chip and PIN principle is a lot older in Europe than anywhere else in the world. Asia is far behind, however converting fast, and the US is down the drain. France has implemented a Chip'n'PIN system since the early 90s, and Belgium has been using its local equivalent (Bancontact) since the mid-90s. Because credit/debit cards are synonymous to Chip and PIN cards in Europe, EMV has become a synonym for a unified European payment system.

    The US has massive plans to implement EMV. The main difference is that banks are quite opposed to it because the cost of overhauling their complete architecture for the sake of fraud is quite a difficult thing to sell -- we're not talking about a simple card update, every single Point of Sale will need a new terminal, every single individual will need his card replaced. How many credit cards are used in North America? 700 million if my memory serves me well, or more. At roughly $15 per card, when bought in high quantities, that's quite a lot of money. Each terminal costs roughly $150-$230, so that's not a small investment either.

    Next to that, you need the network connectivity, and the servers to handle it. I remember discussing this with a colleague some time ago, and by eyeballing it quickly, we got a number of roughly $100 to $130 per customer. Obviously, the banks could always ask for more cash from the government to pay for it?

    Source: I work in the industry.