Chip and PIN 'not fit for purpose', says Cambridge researcher

February 14, 2010

University of Cambridge security expert Professor Ross Anderson has blasted the EMV system used worldwide for credit and debit card transactions, and known in the UK as Chip and PIN, after his research team discovered a serious vulnerability. The group were able to carry out purchases using a card, even without knowing the associated personal identification number (PIN), by using a "man-in-the-middle" attack.

Retail terminals at the point of sale require the cardholder to insert their card and enter their secret PIN before a transaction can be authorised. They then communicate with the microchip built in to the card itself, which holds the PIN. If the correct number has been given, this chip returns a standard verification code (0x9000) to the terminal.

In the researchers' attack they inserted a genuine card into a second reader, connected to a laptop. The laptop is linked by thin wires to a fake card, which is inserted into the retailer's terminal. The laptop relays the communications between the terminal and the stolen, but genuine, card, up until the stage where the PIN is to be checked. At this point it intercepts and responds with the verification code, no matter what number was entered. The retailer's terminal then believes that the correct PIN has been entered, and the card can be told that a signature was used to verify the cardholder instead.

Their technique has been tested successfully on cards from six different issuers: Bank of Scotland, Barclaycard, Co-operative Bank, Halifax, HSBC and John Lewis.

The group say that not much technical skill is required for the attack, and suggested the equipment needed could be kept in a backpack, with the wires to the fake card running down a user's sleeve. They believe the equipment could be miniaturised to the size of a remote control.

"In practice how this attack would work is that one reasonably technically skilled person would build a device that carries out the attack and then sell this equipment on the internet just like criminals already do," said Dr Steven Murdoch who worked on the project.

Professor Anderson claimed that the attack could already be in use by criminals. "We have many examples of people who have had their cards stolen and then purchases made using the chip and pin," he said. "They are adamant they didn't use it but if the banks say chip and pin has been used you have to pay. I think many of these people would have been victim of the kind of technique we have developed."

He was scathing about bank claims that the system was secure. "The banks are wrong. All the banks are lying. They are maliciously and wilfully deceiving the customer. If there was any justice then the police would be looking into this. The system is not fit for purpose."

Consumer group Which? have also called for an investigation, stating that in a recent survey one in seven people said that money had been taken from their accounts without authorisation. Around half of these did not have the money refunded by the bank.

"We want the banks to look into these potential flaws," said Cathy Neal from ''Which? Money'', "because we have had many examples where the banks have said a pin was used and the customer said it hasn't."

Over 90 percent of UK card transactions at point-of-sale use chip and PIN, according to the UK Payments Administration. The attack does not affect ATM transactions, which use different standards. Mark Bowerman, a spokesman for the group which represents card companies, said that there was no evidence the attack was in use and emphasised that card fraud had fallen with the introduction of chip and PIN.

"We are taking this paper very seriously, as maintaining excellent levels of card security is paramount," he said. "However, we strongly refute the allegation that chip and PIN is broken."

The research paper has been made available as a working draft, and is due to be published at the IEEE Security and Privacy Symposium in May 2010. Members of the banking industry were informed of the vulnerability in early December last year.