|
Banks beware : Chip and Pin System is Flawed.
Posted by: Kindred on Feb 12, 2010
For the last couple of years there has been a movement in the banking world to require that new credit cards and debit cards are all chip and pin. Now this is a system that I have always hated because I don't want a pin number for my credit card.
The banks had in fact put so much faith on the chip and pin system that, they would deny claims to false charges on your bank statements if they showed up as being done with a chip and pin. I think it is now time for the banks to reconsider thier faith. In fact they need to potentially place it somewhere else.
Recently, well what appears to be the last couple of days, A huge security flaw has shown up in the chip and pin system. Researchers working at Cambridge University have demonstrated how it is possible to to break the system.
How it works is that it tricks the swipe unit into thinking that it is getting a valid pin, while at the same time it is tricking the card into believing it has not been placed into a chip and pin terminal. This is basically done by inserting a "Wedge" between the card and the reader. It has been suggested that this wedge is small enough that shop assistants will not be able to notice it.
What I find really interesting is that this attack, is that not suprisingly this will work with a terminal that is offline (ie not in communication with the bank) but it also works with a terminal that is online.
Some things to note about this attack are that techincally this is a quite simple attack, it appears to be not very sophisticated. Secondly and importantly this attack will not work with ATMs so they can't just draw all your cash. The just get to go on shopping sprees with stolen cards.
Personally, the biggest problem I think that is going to arise from this form of attack is the banks. Currently they have blind faith in the chip and pin technology, with this faith and them pushing it out towards the masses the public has been gaining this faith as well. Which has led to a certain social problem where people have believed that thier cards are safe they have taken longer to report stolen cards etc. These points have raised a couple of flags in my head :
- While the banks have this blind faith, they will not refund fruadulent transactions because in thier opinion with this system thier can't be fruadulent transactions. This opinion needs to change with this new legitimate information.
- With the general public having this false sense of security, they will allow fruadsters long to go on shopping sprees. The public needs to get back into the paranoid state of if a card is stolen report it imediately.
If this whole situation wasn't bad enough, The researchers discovered a number of other security flaws in the Specification which in their opinion need to be fixed. Although they have not listed all the flaws. Personally I believe that even this one flaw is to much in a banking system that has been accepted with blind faith.
The researchers have made a statement that they are really worried that if something isn't done to fix this flaw, then customers in the many regions around the world are going to continue to make the same mistakes which will result in customers staying vulnerable. Which I agree with, and I think it is a huge problem. You do not was customers thinking that they have a good secure system while in fact they will be using a flawed one. False security is a really bad thing. I am not suggesting people live in a paranoid world. I am rather suggesting people be careful in this world.
For those people that are interested in the more technical side of this, you can read the paper that was submitted to the 2010 IEEE Symposium on Security and Privacy |
