Chip and Pin Vulnerabilities

BBC Newsnight last night had a report on the vulnerability of Chip and Pin to fraud. The video segment is currently available on Google Video.

A number of academics at the University of Cambridge have published a report online describing the weaknesses. Steven Murdoch and Saar Drimer, have found a number of ways that the criminally-minded could modify PED devices and extract your account number and PIN and all the details needed to create a cloned card. The full pdf is available here

The vulnerabilities they describe have actually been known for a while, and the responses from the various banking authorities and card companies acknowledge this. The attacks are possible because the UK banking industry chose to deploy Chip & PIN cards with the smart chips in a mode that does not encrypt the data exchanged between the card and the PED during a transaction. By tapping these communications, fraudsters can obtain the PIN and create a magnetic strip version of the card to make ATM withdrawals in the UK and abroad.

Newsnight presenter Jeremy Paxman was on top form literally taking apart the APACS Director of Communications Sandra Quinn as she arrogantly and naively claimed the system was completely safe while at the same time accepting the frauds were possible.