Chip and PIN is broken, say researchers

Summary:A flaw in the protocol underlying chip-and-PIN transactions allows an attacker to push through a purchase without a valid PIN

...that it stores on its chip. If the PIN is correct, the card sends a verification code — 0x9000 — back to the terminal, which completes the transaction.

The researchers succeeded in building a man-in-the-middle device that reads a card and — at the appropriate time in the verification process — sends a 0x9000 code to the terminal, regardless of the PIN that has been entered.

As a demonstration, the researchers inserted a genuine card into a standard smartcard reader from Alcor Micro, which was connected to a laptop running a Python script. The laptop was connected to an FPGA board via a serial link. The FPGA board the researchers used was a Spartan-3E Starter Kit, which was used to convert the interfaces for the card and PC.

The FPGA board was connected to a Maxim 1740 interface chip, which was linked via thin wires to a fake card, used for insertion in the terminal.

Once the fake card was inserted, the Python script running on the laptop relayed the transaction, suppressed the verify PIN command issued by the terminal, and responded with the 0x9000 code.

The researchers said that attackers could carry similar kit in a backpack, with the wires trailing down a sleeve, for use with a stolen valid card.

Consumer liability
Anderson noted that in disputed transactions, if the transaction has been verified by PIN, the liability for the loss rests on the consumer rather than on the bank or merchant.

The UK Payments Administration, which represents the interests of payments-card companies, said that the overwhelming majority of point-of-sale card transactions in the UK — over 90 percent — are conducted via chip and PIN. In 2008, UK debit, credit and charge cards were used to make 7.4 billion purchases worth a total of £380bn, but this includes all types of card transactions, the organisation said.

Mark Bowerman, spokesman for UK Payments Administration, acknowledged the Cambridge researchers' paper, but rejected their conclusions.

"We are taking this paper very seriously, as maintaining excellent levels of card security is paramount," he said. "However, we strongly refute the allegation that chip and PIN is broken."

There is no evidence that the type of attack outlined in the Cambridge paper is happening in UK shops, Bowerman noted. He added that the research will help the UK Payments Administration map out the direction criminals may move in.

Chip-and-PIN authentication has contributed to significant reductions in card-based scams, Bowerman said. "Last year, we announced that card fraud had dropped, and we are expecting next month's release of the full 2009 figures to follow this trend," he said. "Existing security practices are clearly working."

Topics: Security

About

Tom is a technology reporter for ZDNet.com, writing about all manner of security and open-source issues.Tom had various jobs after leaving university, including working for a company that hired out computers as props for films and television, and a role turning the entire back catalogue of a publisher into e-books.Tom eventually found tha... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.