Most of us tend to think that using a Chip and PIN to pay for stuff is a secure way of carrying out transactions, as long as we’re not being watched as we enter our PIN. Certainly more secure than relying on a signature that is itself hard to verify and rarely questioned.
But a team from Cambridge University featured on BBC Newsnight has managed to find a flaw, and reckon that the whole system now needs redeveloping in order to make it safe.
How to Fool Chip & PIN
So how have they managed to crack the system? Well, it’s not with a secret code as I was hoping it would be, but without going into too much detail (because they don’t want everyone at it), here’s how it works:
In essence the Cambridge researchers have discovered a way to carry out transactions without needing to know a card’s pin. A stolen card sits in an off-the-shelf card reader, inside a backpack. This allows it to communicate with a chip, running software written by the team and controlled from a laptop. All of this is hooked up to a fake card, which slots into the actual shop terminal. It is called a “man in the middle” attack because the software is tricking the terminal into thinking the pin has been verified. It makes the terminal think the correct pin has been entered, and the card think the transaction was authorised with a signature. At the end the receipt says ‘verified by pin’ so the bank is going to think the pin is entered directly, but the criminal actually did not know the pin.
Watch the geeks researchers as they fool the till in the Cambridge Uni cafe.
Unsophisticated
Now you may think that you’d need a Phd in electronics to be able to achieve this, but the researchers reckon even small time crims will be one step ahead. And I’m sure a quick Google search would find out the necessary hardware you need, and it’s probably all available in your local Maplins.
I guess the key thing is to keep track of your card, as it still appears that the criminals will need to have possession of it to rip you off.