Researchers at Cambridge University have revealed a key flaw in Chip and PIN system.

Researchers at the University of Cambridge Computer Laboratory have uncovered flaws in the Chip and PIN system that allow criminals to use stolen credit and debit cards without knowing the correct PIN.

Known as the “Man in the Middle” attack, criminals can easily insert a “wedge” between the stolen card and terminal, which tricks the terminal into believing that the PIN was correctly verified. In fact, the fraudster can enter any PIN, and the transaction will be accepted.

Using apparently unsophisticated technology, it involves having a separate card reader in a back pack. The fraudster puts the stolen credit or debit card into the shop’s reader but then the second reader in his back pack sends a PIN okay signal to the shop terminal. The shop terminal then sends back a transaction go-ahead signal to the terminal with the stolen card and money is taken off it.

The research was carried out by Steven J Murdoch, Saar Drimer, Ross Anderson and Mike Bond, researchers at the Computer Laboratory, University of Cambridge, and is due to be presented at the IEEE Symposium on Security and Privacy conference in Oakland in May. Researchers from the team demonstrated the attack in an episode of the BBC Newsnight programme last night (11 February).

Professor Ross Anderson said: “Chip and PIN is fundamentally broken. We think this is one of the biggest flaws that we’ve uncovered – that has ever been uncovered – against payment systems, and I’ve been in this business for 25 years.”

Victims of this attack may have a difficult time being refunded by their bank. The receipt produced will state “Verified by PIN”, and bank records will show that the correct PIN was used. Banks may then argue that the customer must have been negligent and had allowed the criminal to know their PIN.

Dr Drimer said: “This is not just a failure of bank technology. It’s a failure of bank regulation. The ombudsman supported the banks and the regulators have refused to do anything. They were just too eager to believe the banks.”

The security shortcomings apply to cards based on EMV (Eurocard Mastercard Visa), the most widely deployed standard for smartcard payments, which is used by millions of credit and debit cards, mostly in Europe.

In their blog, the researchers stressed: “We’re really worried that if something isn’t done to fix this problem, and the many others we’ve found in EMV, other regions adopting it (like the USA) are going to make the same mistakes again and again – and that means customers stay vulnerable.

“That’s why again we’re arguing that Chip and PIN is broken. We don’t want people keeping their money in shoe boxes – we want the problems fixed. That means getting decent governance for the system that involves all the stakeholders – banks, regulators, merchants and customers.”

Click here to read the report.