Is the Chip and PIN Broken? A Controversial Solution to Bank Card Security

What is the security gadget that UK bankers don’t want you to know about? A University of Cambridge student has published a paper on a new device that can protect card-holding consumers from the dangers of hackers, resulting in a financial trade group demanding that it be removed from the public.

According to Ars Technica, increasingly more people are learning about the vulnerability of their bank card system (Europay, MasterCard and Visa cards commonly used in the U.K.), and the protocol flaw that enables a hacker to use someone’s real card without knowing the PIN. Even worse, fraudsters can tinker with Chip-and-PIN card terminals in order to obtain sensitive data.

Hackers can tinker with Chip/Pin enabled banking/credit card terminals and wirelessly intercept data about live consumer transactions to get into the system themselves. "In this scenario it is possible for someone to tamper with the terminal such that the amount shown on the display is higher than the amount requested to the card. The user will confidently enter the PIN and authorize the transaction."

The proposed “Smart Card Detective”’ device was tested by Cambridge, and it is designed to intercept information of a transaction, verifying that it is legitimate and the correct amount is shown.

One of the author’s recent Chip-and-PIN research papers will be featured in an international forum, the upcoming Financial Cryptography 2011 Conference.