Home : Public Sector : News

Researchers claim chip and PIN is 'broken'

Cambridge researchers have claimed the four-year-old secure payments system is leaving consumers open to fraud.

By Jennifer Scott, 12 Feb 2010 at 15:08

Researchers from the University of Cambridge have slammed chip and PIN technology for leaving consumers vulnerable to fraudulent attacks.

The four researchers – Steven Murdoch, Saar Drimer, Ross Anderson and Mike Bond – from the Cambridge Computer Laboratory have claimed a flaw in the EMV technology (named after the three firms that use it: Europay, MasterCard and Visa) allows criminals to use a card to make payments without the PIN as well as remain undetected following the fraud.

“The fraudster performs a man-in-the-middle attack to trick the terminal into believing the PIN verified correctly, while telling the issuing bank that no PIN was entered at all,” the report claimed.

“This attack can be used to make fraudulent purchases on a stolen card.”

The report has been released just days before chip and PIN celebrates its fourth birthday on Sunday.

Stephen Howes, chief executive of GrIDsure, commented on the research, saying it brings real concerns about banking security.

“This latest revelation about Chip and PIN cards has yet again called into question the confidence we can have in our banks and their attitude to our security,” he said in a statement.

“As we know, the banking industry is self regulated, so it can’t just bury its head in the sand especially when it’s responsible for policing its own fraud. Consumers are being forced to use a system that has been shown to be broken, and ultimately it will be consumers who suffer.”

The report concluded: “Rather than leaving its member banks to patch each successive vulnerability, the EMV consortium should start planning a redesign and an orderly migration to the next version.”