Industry News

Chip and Pin Diet Unhealthy for Credit Cards, Cambridge Says; Unique Numbers not that Unique

Cambridge University researchers recently found a disturbing vulnerability in the chip-and-pin payment system which renders credit cards easy to compromise by cloning, as reported by the BBC.

The results of the research project were presented at the Cryptographic Hardware and Embedded System (CHES) 2012 conference, in Leuven, Belgium and they pointed to major issues in implementing cryptography.

The researchers say that, despite the long-standing use of the system, banks may not have focused enough on this aspect of its safety, which would explain why this vulnerability is just now “starting to come under proper scrutiny from academics, media and industry alike”.

Simply put, the safety of a chip-and-pin transaction is affected in that its allegedly unique “unpredictable number,” generated for authentication, is actually very predictable due to the use of dates and timestamps.

If you can predict [the UN], you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location,” researcher Mike Bond explained in a blog post, as quoted by the BBC. “You can as good as clone the chip. It’s called a pre-play attack.”

The Cambridge team notified major banks of their discovery only to find they had been “explicitly aware of the problem for a number of years”.

“We’ve never claimed that chip and pin is 100% secure and the industry has successfully adopted a multi-layered approach to detecting any newly-identified types of fraud,” a spokeswoman for the UK Financial Fraud Action group told the BBC.

“What we know is that there is absolutely no evidence of this complicated fraud being undertaken in the real world. It requires considerable effort to set up and involves a series of co-ordinated activities, each of which carries a certain risk of detection and failure for the fraudster.

“All these features are likely to make it less attractive to a criminal than other types of fraud.”

About the author

Ioana Jelea

Ioana Jelea has a disturbing (according to friendly reports) penchant for the dirty tricks of online socialization and for the pathologically mesmerizing news trivia. From gory, though sometimes fake, death reports to nip slips and other such blush-inducing accidents, her repertoire is an ever-expanding manifesto against any Victorian-like frame of thought that puts a strain on online creativity. She would like to keep things simple, but she never does.