...that it stores on its chip. If the PIN is correct, the card sends a verification code — 0x9000 — back to the terminal, which completes the transaction.
The researchers succeeded in building a man-in-the-middle device that reads a card and — at the appropriate time in the verification process — sends a 0x9000 code to the terminal, regardless of the PIN that has been entered.
As a demonstration, the researchers inserted a genuine card into a standard smartcard reader from Alcor Micro, which was connected to a laptop running a Python script. The laptop was connected to an FPGA board via a serial link. The FPGA board the researchers used was a Spartan-3E Starter Kit, which was used to convert the interfaces for the card and PC.
The FPGA board was connected to a Maxim 1740 interface chip, which was linked via thin wires to a fake card, used for insertion in the terminal.
Once the fake card was inserted, the Python script running on the laptop relayed the transaction, suppressed the verify PIN command issued by the terminal, and responded with the 0x9000 code.
The researchers said that attackers could carry similar kit in a backpack, with the wires trailing down a sleeve, for use with a stolen valid card.
Anderson noted that in disputed transactions, if the transaction has been verified by PIN, the liability for the loss rests on the consumer rather than on the bank or merchant.
The UK Payments Administration, which represents the interests of payments-card companies, said that the overwhelming majority of point-of-sale card transactions in the UK — over 90 percent — are conducted via chip and PIN. In 2008, UK debit, credit and charge cards were used to make 7.4 billion purchases worth a total of £380bn, but this includes all types of card transactions, the organisation said.
Mark Bowerman, spokesman for UK Payments Administration, acknowledged the Cambridge researchers' paper, but rejected their conclusions.
"We are taking this paper very seriously, as maintaining excellent levels of card security is paramount," he said. "However, we strongly refute the allegation that chip and PIN is broken."
There is no evidence that the type of attack outlined in the Cambridge paper is happening in UK shops, Bowerman noted. He added that the research will help the UK Payments Administration map out the direction criminals may move in.
Chip-and-PIN authentication has contributed to significant reductions in card-based scams, Bowerman said. "Last year, we announced that card fraud had dropped, and we are expecting next month's release of the full 2009 figures to follow this trend," he said. "Existing security practices are clearly working."