Untitled Document

A team of computer researchers claim they had uncovered flaws in the Chip and Pin system which are being exploited by fraudsters to use stolen cards.

The group from the University of Cambridge's Computer Laboratory found criminals can insert a "wedge" between the card and terminal, tricking it into believing the pin was correctly verified.

In fact, any pin can be used for the transaction to go through. The card thinks it is authorised by signature (see the ID Fraud and Stay Safe Online guides).

Dr Steven Murdoch says: "We have tested this attack against cards issued by most major UK banks. All have been found to be vulnerable."

The discovery is likely to place question marks over the existing Chip and Pin design and its security.

Victims of this fraud may encounter problems obtaining refunds from their banks as the receipt produced states "Verified by Pin".

Professor Ross Anderson says: "Over the past five years, thousands of cardholders have had stolen Chip and Pin cards used by criminals. The banks often tell customers that their pin was used and so it's their fault.

"Yet we've shown that it's easy to use a card without knowing the pin - and the receipt will say the transaction was 'Verified by Pin' even though it wasn't.

"This is not just a failure of bank technology, it's a failure of bank regulation. The Ombudsman supported the banks and the regulators have refused to do anything. They were just too eager to believe the banks."

The UK Cards Association has dismissed the claim, saying that while the research shows it is possible in theory, this does not mean it is possible in reality.

A spokeswoman says: "We believe this complicated method will never present a real threat.

"It requires possession of a customer's card and unfortunately there are much simpler ways to commit fraud under these circumstances at much less risk to the criminal."

Further reading/Key links

Prevent fraud: ID Fraud, Stay Safe Online