Chip and Pin "Weakness" Exposed By Cambridge Researchers

another random user writes "A vulnerability in the widely used chip and pin payment system has been exposed by Cambridge University researchers. Cards were found to be open to a form of cloning, despite past assurances from banks that chip and pin could not be compromised. In a statement given to the BBC, a spokeswoman for the UK's Financial Fraud Action group said: 'We've never claimed that chip and pin is 100% secure and the industry has successfully adopted a multi-layered approach to detecting any newly-identified types of fraud.'"

Never trust security through obscurity

[dajjhman]

Lots of these systems use proprietary protocols and have pushed out 3rd party verification by researchers. the random number being generated by time? Any serious security auditor would have caught that if the banks allowed them in, one of the golden rules of cryptography is to have a proper random number generator. The contact-less systems in the US came under similar fire this past year, after years of assurances by card issuers that it couldn't happen. http://www.forbes.com/sites/andygreenberg/2012/01/30/hackers-demo-shows-how-easily-credit-cards-can-be-read-through-clothes-and-wallets/

Re:Never trust security through obscurity

[scdeimos]

A web cam pointed at a lava lamp works for some people.

Re:Never trust security through obscurity

[lxs]

It's not that they cannot accept card like that, but that the processor will not reimburse the shop in case of fraud. At least that's the case here in the Netherlands.

Security by obscurity

[jenningsthecat]

All the locks in the world won't keep crooks out of your house if you don't use the locks. Your house may LOOK invulnerable, but one day sonbody's gonna try the door, find it open, and steal you blind.

The same principle applies here - using obvious and predictable 'random' code generation, and relying on people not knowing that's what you're doing, only works for so long.

And arrogant people, (and companies, and banks), who crow about how secure their systems are, are just asking for it. Serves the fuckers right; but it's too bad that credit card holders are paying the price for their creditors' arrogance.

Re:Security by obscurity

[Solandri]

And arrogant people, (and companies, and banks), who crow about how secure their systems are, are just asking for it. Serves the fuckers right; but it's too bad that credit card holders are paying the price for their creditors' arrogance.

If it came out of the pockets of the credit card holders, it probably would've been fixed long ago. The problem is that the credit card companies have gamed it so that it comes out the pockets of the merchants. And no merchant can realistically refuse to accept credit cards if he's serious about running a business. The credit card companies have even managed to trick most card holders into thinking that they're doing the noble thing and paying for fraud, when in most cases it's the merchant who pays. After all, those high interest rates and annual fees have to be paying for something, not going straight into their pocket, right?

The analogy between labor and employers works here. Merchants need a union so they can negotiate on an even footing with the 3 credit card companies which control the vast majority of the electronic transaction market.

Presumed secure = blame the user

[muhula]

In the US, a simple magnetic stripe is used to encode the data, which can be duplicated with little effort. Even if your credit card is swiped at a brick and mortar retailer, this well-known vulnerability gives consumers some credibility against the credit card issuer when they claim to have not made the purchase. The scary part of this chip and pin vulnerability is that banks have a history of blaming the consumer and not issuing refunds since chip and pin was presumed to be secure. From the article, "Others [banks] reported already being suspicious of the strength of unpredictable numbers... If those assertions are true, it is further evidence that banks systematically suppress information about known vulnerabilities, with the result that fraud victims continue to be denied refunds."

The problem is shifting liability

[nemesisrocks]

The problem with the claim Chip & Pin is more secure, is that the card processors (Visa, Mastercard) used it as a justification to shift liability from the Bank over to the Merchant.

With swiped transactions, when a customer disputes the transaction, the Merchant isn't automatically liable for the transation -- they only need to prove the customer actually made the purchase (e.g. producing the signed receipt). With Chip & Pin, the merchant is automatically assumed to be liable, according to the merchant agreement. There's very little a merchant can do to dispute the chargeback.

Its worse - Liability is shifted to the CARDHOLER

[brunes69]

Re-read your chip & PIN liability statements. Chargebacks with chip & PIN are very difficult to do and weighed heavily against the cardholder.

By default, if a transaction is conducted via chip & PIN, the consumer is liable for all charges. The use of a PIN constitutes, in the eye of the bank, de-facto shift of liability for the transaction. In the event of a dispute, it is up to THE CONSUMER to provide evidince that he / she did not perform the transaction. This is a marked shift from the old magstripe / signature liability, where it was up to the merchant to prove that it was you making the purchase in a dispute. Now, it is up to the consumer to prove it WASN'T you - good luck with that!

I am glad people are finally waking up to this because I avoided chip & PIN as long as possible due to this, but it is being rammed down our throats, along with this liability shift, and no one is noticing.