Chip and Pin Diet Unhealthy for Credit Cards, Cambridge Says; Unique Numbers not that Unique
Cambridge University researchers recently found a disturbing vulnerability in the chip-and-pin payment system which renders credit cards easy to compromise by cloning, as reported by the BBC.
The results of the research project were presented at the Cryptographic Hardware and Embedded System (CHES) 2012 conference, in Leuven, Belgium and they pointed to major issues in implementing cryptography.
The researchers say that, despite the long-standing use of the system, banks may not have focused enough on this aspect of its safety, which would explain why this vulnerability is just now “starting to come under proper scrutiny from academics, media and industry alike”.
Simply put, the safety of a chip-and-pin transaction is affected in that its allegedly unique “unpredictable number,” generated for authentication, is actually very predictable due to the use of dates and timestamps.
“If you can predict [the UN], you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location,” researcher Mike Bond explained in a blog post, as quoted by the BBC. “You can as good as clone the chip. It’s called a pre-play attack.”
The Cambridge team notified major banks of their discovery only to find they had been “explicitly aware of the problem for a number of years”.
“We’ve never claimed that chip and pin is 100% secure and the industry has successfully adopted a multi-layered approach to detecting any newly-identified types of fraud,” a spokeswoman for the UK Financial Fraud Action group told the BBC.
“What we know is that there is absolutely no evidence of this complicated fraud being undertaken in the real world. It requires considerable effort to set up and involves a series of co-ordinated activities, each of which carries a certain risk of detection and failure for the fraudster.
“All these features are likely to make it less attractive to a criminal than other types of fraud.”