Chip and PIN security flaw uncovered

An investigation by the UK's London Programme has uncovered a security flaw in Chip and PIN payment cards which allows fraudsters to disable and over-ride chip security measures using information embedded in the magnetic strip.

  0 Be the first to comment

Chip and PIN security flaw uncovered

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

The television programme, which aired last night, showed an anoymous "industry insider" cloning a chip-based payment card using software and a skimming device bought on the Internet.

The skimming device records data embedded in the magnetic strip on a smartcard, but information stating that the card contains a chip can be changed using the illegal software. The data is then copied onto a basic plastic card, such as those used for mobile top-ups. Programme makers were able to use the cloned card to withdraw cash from an ATM.

The findings of the investigation were presented to the UK's Association for Payment Clearing Services (Apacs). In a statement issued to the programme makers, Apacs says: "When fully in place, chip and PIN technology will identify chip and PIN cards that have been fraudulently tampered with in this way, and also fraudulent copies of those cards."

But in the programme, Sandra Quinn, director of corporate communications, Apacs, did admit that data embedded in the magnetic strip on a card can be accessed and copied by fraudsters but insisted that it cannot be changed: "That data will always say 'there is a chip on this card' therefore if there's no chip on the card the fraudster can't use it."

But research conducted by Ross Anderson, head of security engineering at Cambridge University, found that if a card with a damaged chip is presented at an ATM or POS terminal, then the device falls back to magnetic strip operation.

David Cooper, risk management, Lloyds TSB, told the programme that although banks in Europe were committed to using chip-based technology, financial firms in the US have not made much effort to move into chip and PIN yet, so the industry isn't able to drop magentic strips from payment cards.

Despite the security risks uncovered, Quinn says cards containing both chips and magnetic strips will be around "for a very long time".

Sponsored [Webinar] Solving the KYC challenge with end-to-end processes

Comments: (0)

[On-Demand Webinar] SaaS savvy: Preparing for embedded and data driven bank paymentsFinextra Promoted[On-Demand Webinar] SaaS savvy: Preparing for embedded and data driven bank payments