European Credit and Debit Card Security Broken

Jack Spine writes "With nearly a billion users dependent on smart banking credit and debit cards, banks have refused liability for losses where an idenification number has been provided. But now, the process behind the majority of European credit and debit card transactions is fundamentally broken, according to researchers from Cambridge University. The researchers have demonstrated a man-in-the-middle attack which fooled a card reader into accepting a number of point-of-sale transactions, even though the cards were not properly authenticated. The researchers used off-the-shelf components (PDF), and a laptop running a Python script, to undermine the two-factor authentication process on European credit and debit cards, which is called Chip and PIN."

Strike at the heart of the problem

[OglinTatas]

The researchers used off-the-shelf components (PDF), and a laptop running a Python script...

It is long past time for governments to criminalize the use of Python.

Re:Chip and Chip security... wait a second!

[LostCluster]

No. The problem is that the terminal isn't validating the PIN against anything it can trust... it's sending the entered PIN to the card and trusting the result returned, which can easily be spoofed. If the PIN was server-side, it could trust a results-only message... but that's not what's happening here.

I work in the fraud department of a UK bank

and this actually happens quite a bit, we usually pay out unless

it matches the customers spending pattern,
they tell us they kept the pin with the card,
a family member was doing it.