Dr Murdoch's Computer Security group at Cambridge say they have been shocked at just how easy it has been to subvert the security of chip and pin transactions.Using a simple piece of electronics and some hair thin wiring an extra circuit can be inserted between the chip on the card and the card reader. The fraudster can then enter any PIN he likes and the transaction will be accepted. You might think that this would be noticable in-store but no, the wiring can be hidden easily and the electronics plus a battery can sit in a small bag or could even be worn under clothing.
Dr Murdoch said "We have tested this attack against cards issued by most major UK banks. All have been found to be vulnerable."
Victims of this attack will have a very difficult time convincing their bank because the receipt produced will state "Verified by PIN", and the bank records will show that the correct PIN was used. Banks will (as they try to now with fraudulent cash card withdrawals) argue that the customer must have been negligent and had allowed the fraudster to know their PIN.
Dr Drimer says: "The technical sophistication for carrying out this attack is low, and the compact equipment will not be noticed by shop staff. A single criminal can develop and industrialise a kit to be used by others who do not need to understand how the attack works."
Victims of fraud are commonly told that bank systems can be relied upon. However, this attack shows that criminals are able to not only defraud customers, but cause bank systems to make the false assertion that the PIN was verified correctly.
Professor Anderson says: "Over the past five years, thousands of cardholders have had stolen chip and PIN cards used by criminals .... we've shown that it's easy to use a card without knowing the PIN ...This is not just a failure of bank technology. It's a failure of bank regulation. The ombudsman supported the banks and the regulators have refused to do anything. They were just too eager to believe the banks."
And the banks reaction? They believe that the fraud is too complex to become widespread - this despite the computerised sophisticated custom built equipment the police remove from cash machines in this country every week. Their other line of attack is that the Customers own card has to be used. Well how many customers are ill in hospital? Bedridden? On holiday? Would these people even know if a card were missing?
This is just not good enough. I believe that the Cambridge Method is probably only the simplest one of a number of attacks that would work. American Banks have always maintained that Chip and Pin is in fact LESS secure than Signature checks which is why they do not use it.
One thing we do know and that is that the banks are unlikely to change a system which they have spent many millions on installing and implementing. Perhaps they will implement a requirement for people to wave their arms about in between inserting the card and inputting the PINS to prove there are no wires. Should make for an entertaining trip out to the supermarket! Ah well maybe not. Its time to start checking your card bills and bank statements carefully... Very Carefully!
No comments:
Post a Comment
Comments are Moderated but I wont delete ones that are dissenting!