Access Control Systems using Power over Ethernet (PoE) Technology from Borer
Borer Data Systems - Power over Ethernet Access Control


  Borer Data Systems - Access Control | Attendance Management | ID Badge Production | Visitor Management
About Us
Contact Us

Industry News Articles

Chip and Pin weakness Uncovered By Cambridge researchers

12 September 2012

A flaw in the widely used Chip and Pin payment system has been exposed by Cambridge University researchers.

Cards were found to be open to a form of cloning, despite assurances from banks that chip and pin could not be compromised.

Poor implementation of cryptography methods were behind the vulnerability, researchers said.

The flaw in the chip and pin system was highlighted by the Cambridge research team who presented a paper at a cryptography conference in Leuven, Belgium this week.

The paper said despite chip and pin being in use for over a decade, it was only recently "starting to come under proper scrutiny from academics, media and industry alike".

Each time a customer is involved in a chip and pin transaction, a unique "unpredictable number" is created to authenticate the transaction.

The unpredictable number (UN) is generated by software within cash points and other similar equipment, is supposed to be chosen at random.

But researchers discovered that in many cases lacklustre equipment meant the number was highly predictable, because dates or timestamps had been used.

"If you can predict [the UN], you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location," said researcher Mike Bond in a blog post.

"You can as good as clone the chip. It's called a pre-play attack."

"The sort of frauds we're seeing are easily explained by this, and by no other modus operandi we can think of," researcher Prof Ross Anderson told the BBC.

The researchers said they had been in contact with leading banks to detail the risks, but some had been "explicitly aware of the problem for a number of years".

The paper added: "If those assertions are true, it is further evidence that banks systematically suppress information about known vulnerabilities, with the result that fraud victims continue to be denied refunds."

In a statement given to the BBC, a spokeswoman for the UK's Financial Fraud Action group said: "We've never claimed that chip and pin is 100% secure and the industry has successfully adopted a multi-layered approach to detecting any newly-identified types of fraud.

Back in December 2010 a Cambridge University professor accused UK banks of trying to prevent the publication of research that revealed a serious flaw in the chip and pin, Europay, and the MasterCard and VISA (EMV) payment card security systems.

Professor Ross Anderson revealed that a student had created a £20 device that could fool a payment machine into accepting a card without a valid PIN. The UK Card Association (UKCA) apparently wrote to the university’s press office demanding the removal of the research document from its website.

Chip and pin is currently the leading processing and authentication method for credit and debit card payments in the UK, and indeed the world. It is estimated that there are more than a billion chip and pin cards in use worldwide. It replaced the signature and magnetic strip option, and was supposed to be a much more secure payment method.


return to top
Access Control Systems using Power over Ethernet (PoE) Technology from Borer