ghacks Technology News

European Payment Cards Security Problem

A recently released technical paper entitled “Chip and pin is broken” by security researchers Steven Murdoch, Saar Drimer, Mike Bond and Ross Anderson demonstrates a man in the middle attack that lets criminals use stolen payment cards without knowing the pin.

This is obviously a serious security problem as banks have always claimed that the security of the cards cannot be broken. The security exploit exists because the negotiation about how the cardholder should be authenticated is not authenticated itself which means that criminals can “card into thinking it’s doing a chip-and-signature transaction while the terminal thinks it’s chip-and-PIN” which means that it is possible to enter any four digit Pin to complete the transaction.

Here are several facts about the attack:

  • the attack applies to cards used online (where the merchant POS contacts the bank) as well as offline;
  • the attack works regardless of the amount of money spent (not just for small value amounts that are below floor limit);
  • the attack doesn’t work once a card has been cancelled by the bank — just like stolen cards in the past can only be used for a certain window of time once the cardholder discovers the loss;
  • the attack doesn’t work at ATMs (cash machines);
  • the failure applies to bank card schemes based on EMV – the most widely deployed standard for smartcard payments. Older national smartcard schemes may or may not be vulnerable; we don’t know.

Enjoyed the article?: Then sign-up for our free newsletter or RSS feed to kick off your day with the latest technology news and tips, or share the article with your friends and contacts on Facebook or Twitter.

Related Articles:

New German, Swiss Identification Cards Not As Secure As Claimed
Should You Get A Virtual Credit Card For Online Purchases?
Unauthorized Payment Done With My PayPal Account
Make Your Own Business Cards
Windows Vista SD Card Problem



About the Author:Martin Brinkmann is a journalist from Germany who founded Ghacks Technology News Back in 2005. He is passionate about all things tech and knows the Internet and computers like the back of his hand. You can follow Martin on Facebook or Twitter.

Author: , Saturday February 13, 2010 -
Tags:, , , ,

Previous Post: Google Buys Aardvark

Next Post: 4 Google Picasa Web Albums Download Tools

Click on the following link(s) to read more about Security

Responses so far:

  1. Jack says:
    February 16, 2010 at 12:01 pm

    Chip&PIN wasn’t introduced to increase security. It was introduced to pass the security buck to the customer. You only have to listen to the excuses above to realise the banks’ priorities. They are happy to accept the losses of fraud as an operating expense tto be passed eventually to the customer.

    There have been other flaws in the system for some time – it’s only a year since my card was compromised ina dodgy supermarket reader. But try telling the banks…

    Reply

Leave a Reply   Follow Ghacks   Subscribe To Comment Rss

Subscribe without commenting

 Ghacks Technology Newsletter 
Ghacks Daily Newsletter

Recent Posts

Follow This Blog

RSS Feeds
Google+ Page; Facebook Fan Page; Twitter




Popular Articles

Popular Searches

Popular Tags

Topics

Links

About Ghacks

Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular latest tech news sites on the Internet with five authors and regular contributions from freelance writers.

Services

Authors

Martin Brinkmann
Melanie Gross
Mike Halsey
Ryan D. Lang
Jack Wallen

© 2005-2012 Ghacks.net. All Rights Reserved. Privacy Policy - About Us