Thread:Comments:Chip and PIN 'not fit for purpose', says Cambridge researcher/Those in positions of power shirking responsibility and lying?/reply (3)

Merchants are advised that they should ensure the cardholder removes their hand from the card during a Chip and PIN transaction, and that there are no wires connecting the card to the cardholder.

This simple defence renders Professor Anderson's somewhat convoluted "Backpack Computer" attack ineffective.

To date, no mechanism can be demonstrated -- in the laboratory or in the field -- whereby the PIN can be obtained from the cryptogrphically protected area of the chip in which it is held.

Therefore the assertion that the technology is not fit for purpose is invalid.

There is an easier way to obtain someone's PIN -- look over their shoulder. So unless the entire concept of entering a "secret number" is deemed invalid, the technology should not be attacked.