12 February 2010
Ross Anderson and his team at Cambridge University have been reporting on security and operational flaws on the UK's Chip and PIN card authentication system for some time, but now they have published their full report on the technology.
And, the Cambridge researchers claim, after testing their theories in a live retail environment, they have concluded that the system is crackable and therefore "broken" in the several places.
At the heart of Chip & PIN's alleged multiple flaws lies the fact that the PIN – in a heavily encrypted format – is held on the card itself, rather than on the bank computer network, as was originally planned in the earliest days of PIN-based card authentication systems in the 1970s.
Because of this, Anderson and Steven Murdoch and his colleagues have developed a methodology by which a card can be inserted into a retail terminal and, when a PIN is input into the terminal and the terminal 'pings' the card's chipset to verify the encrypted on-card PIN, the data stream can be intercepted.
In a series of demonstrations, Murdoch and his team were able to input a PIN of four zeroes into the card terminal in a university shop, intercepting the data stream in such a way that the terminal returned a positive affirmation that the PIN was correct.
In a BBC TV Newsnight demonstration last evening, the researchers 'cracked' the PINs of two credit and two debit cards in the wallets of a BBC camera crew person, using a PIN of 0000 in all cases.
The actual PINs used by the card owners were different, but by intercepting the card interrogation data stream, the research team was able to fool the terminal – and the bank card network – into thinking a PIN verification had taken place, and the transactions were then authorised.
Murdoch said: "We have tested this attack against cards issued by most major UK banks. All have been found to be vulnerable."
The discovery places some severe question marks over the existing Chip and PIN design and its security methodology, Infosecurity notes.
Cambridge's Anderson said: "Over the past five years, thousands of cardholders have had stolen Chip and PIN cards used by criminals. The banks often tell customers that their pin was used and so it's their fault."
"Yet we've shown that it's easy to use a card without knowing the pin – and the receipt will say the transaction was `verified by PIN' even though it wasn't."
According to Anderson, this is not just a failure of bank technology. It's a failure of bank regulation.
"The ombudsman supported the banks and the regulators have refused to do anything. They were just too eager to believe the banks."
Stephen Howes, CEO of Gridsure, the developers of a pictorial alternative to the numeric PIN system, and a long-standing critic of Chip and PIN, believes that the Cambridge research has shown that Chip and PIN cards can no longer be considered as a two-factor authentication method.
"This latest revelation about Chip and PIN cards has yet again called into question the confidence we can have in our banks and their attitude to our security", he said.
"As we've seen in recent comments, banks are all trying to hide behind each other by claiming it's an 'industry issue', so the question to be asked is: Who is actually going to take responsibility for this?"
According to Howes: "as we know, the banking industry is self regulated, so it cannot just bury its head in the sand, especially when its responsible for policing its own fraud."
"Consumers are being forced to use a system that has been shown to be broken, and ultimately it will be consumers who suffer", he explained.
"These Cambridge scientists have unearthed a fundamental flaw in the system and I think most people will be gobsmacked", he said.
"Effectively they've discovered that Chip and PIN can no longer be considered a two-factor solution and banks must consider making a wholesale change to their approach to fraud, which certainly wont just take five minutes", he added.