back to article Chip and PIN security busted

Security researchers have demonstrated a gaping security hole in Chip and PIN credit card authorisations which undermines trust in the technology as a means to verify retail purchases. Cambridge University security researchers have demonstrated how it might be possible to trick the card into thinking it’s doing a chip-and- …

COMMENTS

This topic is closed for new posts.
  1. The Fuzzy Wotnot
    FAIL

    Typical

    Now sit back and watch all the finger-pointing begin, as everyone blames everyone else for the problem and we, the customers, continue to get fleeced by inadequate security.

    1. BristolBachelor Gold badge

      Heads in the sand

      Banks, finger pointing?

      Nope they will stick their heads in teh sand, say it is secure. Say it is impossible to do this in the real world...

  2. Anonymous Coward
    Anonymous Coward

    So...

    As I only use my card when buying online and use cash in shops i'm perfectly safe?

    1. Anonymous Coward
      Happy

      Yep

      Unless you get mugged for your card at the cash machine.

  3. Tony S
    Alert

    Dare I say I told you so

    I remember making a suggestion a while back that in one of the comments to an article, that there could be an issue, and that people should not automatically assume that "Chip & PIn" or any other technology was unbreakable. Several people chose to sneer at my position.

    The reality is that there is no such thing as 100 % security - all anyone can do is say, "we have not been able to crack it, and are not aware that anyone else has".

    Too many people suffer with an almost religious zealotry about security - I do X, I use Y, I have Z, so I am totally secure. Anyone that believes that is suffering with delusions of adequacy; and what is worrying is that they continue to believe the fallacy long after it has been demonstrated that it is not true.

    But there you go - the problem is not with the hardware or the software, but with the wetware!

    1. Usko Kyykka
      Boffin

      A hypothesis

      Maybe this (too) is a manifestation of believing something just because it being true would be absfab (and/or the converse too distressing). Other examples of this would be e.g. :

      - Safe and effective diet pills (it seems people continue to buy and use these despite them having been debunked countless times: the idea of getting slimmed down without really bothering with anything so very attractive).

      - Medicine/doctors can deal with all ailments in an effective way / hardly ever screw up (a very comforting thought, but the reality is different. An important facet of this particular problem is that this fiction is also quite flattering - not to mention profitable - to the practioners.)

      - How effective shameless flattery (in general) tends to be ...

  4. LinkOfHyrule
    Alert

    oh nos!

    *goes off to watch Newsnight on iPlayer* here's a link to the start of the report if anyone wants it

    http://bbc.co.uk/i/qs5vb/?t=16m20s

  5. SmallYellowFuzzyDuck, how pweety!
    FAIL

    Busted, yeah right

    This story is doing the rounds on the internet at the moment making very dramatic claims that criminals are going to be using it to grab everyones money.

    If you look at the PDF it shows that you need the following to make it work:

    A stolen card

    A card reader

    A laptop

    A custom made board with a programmed FPGA on it

    Finally a fake card that goes into the reader with wires attached to it

    The only people possibly with enough knowledge to attempt this feat will be, well, an Academic doing research into banking security from the University of Cambridge.

    I suspect this is more to do with an academic trying to secure further grant funding for this current research than declaring that every criminal on every street corner now has an easy way to empty your bank account.

    Interesting, but there are easier ways to get at other peoples money.

    So look out for lots of dramatic reporting from the non-tech savvy media like the BBC and the Daily Mail.

    1. Alan Braggins 1

      If you look at the PDF ...

      You might want to consider reading it, instead of just looking at the pictures, in which case you will find that's already been addressed.

    2. Anonymous Coward
      Stop

      Wires

      ...until someone does or Wireless version.

      In which case, how would anyone know?

  6. Anonymous Coward
    Grenade

    Chip and Bin?

    Chip and PIN has always been a way for the banks to screw you so they don't have to refund you or investigate transactions.......

    You: "I've noticed a few weird transactions on my account."

    Bank: "Which ones?"

    You: "Well theres one for £110 of petrol but I've never been to Birmingham"

    Bank: "It was authorised by pin. We can cancel your card and send you a new one but as for a refund..... better luck next time."

  7. JakeyC

    Stop allowing signatures

    As long as you're still allowed to verify by signature, the system will remain weak regardless of the tech.

    Seriously, how hard can it be to remember a 4-digit number? If you're incapable of doing that then surely you're not capable of managing your money either!

    1. Bah Humbug

      Don't Stop allowing signatures

      The system will remain weak as long as there are humans anywhere near the payment chain...

      Not everyone has a signature card because they can't remember a 4-digit code - some do it so that the bank can't just turn around and say 'your pin was used, therefore it's your fault' when an unauthorized transaction goes through.

      I still use Chip & PIN, though my wife has a signature card - I'm thinking about switching back to signature myself though, because I don't particularly care for the way the banks have pushed liability for unauthorized transactions onto us.

      Having said that, Chip and PIN can be useful when out shopping - I can just give my card to my wife, say 'you know my PIN', and she can use it...no messing about with signatures!

    2. Alan Esworthy
      FAIL

      Managing my money?

      As long as the idiot issuers put me in a 4-digit PIN straight-jacket, THEY are not competent to manage my or anybody else's money.

    3. Peter Fairbrother 1

      Signatures are not the problem

      The problem with signatures is not verification by signature, but that chips are not used in some countries abroad and the system falls back to magstripe.

      In the case of a cloned card the signature on the card will be done by the thief, and will not be the signature of the cardholder.

      This attack is on stolen cards, not cloned cards.

      Signature verification when a chip in the card is used is still reasonably secure, assuming the cashier checks the signature properly - the card is verified as being a real card by the chip, and the signature is verified by the cashier as normal.

      Though of course nothing is secure, and attacks are still possible - but liability does not fall on the innocent cardholder here, as the signature can be checked, and the receipt can be tested for DNA, the cardhlder's fingerprints, and so on.

      For the cardholder, signatures are more secure.

      For the banks, they are about as secure if a chip is used to verify a card with a chip, though for a while there was a lot of fraud from cards lost in the post and signed by the thief - however this is fairly easy to defeat and has fallen to very low levels.

      The Bank's reason for introducing the PIN was twofold: first to improve on the reliability of cashier verification of signatures by replacing them with an automated method, and second to allow unattended automated sales. The former wasn't a great problem, and the latter was scotched -a curious story.

      The HO, I think it was mostly, didn't like the idea of unattended automated sales and were going to legislate against it, but the banks convinced the HO that not offering signature verification would contravene the Disability Discrimination Act (somehow!! - but somehow ATM's don't?) and that legislation against unattended payment wasn't needed.

      Some petrol stations still use unattended payment (possibly breaking the DDA) but not many, as it's too easy to defraud and the stations are liable when fraud happens.

  8. The BigYin
    Flame

    It was never about security

    It was only ever about shifting liability back on the customer. That's all.

    1. Greg J Preece

      Agreed!

      If it were about security, the PIN would be more than 4 bloody digits!

      1. iwi
        FAIL

        @ Greg J Preece

        It's 4 digits because that's all Mrs. Shepherd-Barron could remember ....

        http://en.wikipedia.org/wiki/Personal_identification_number

      2. JonP

        Passwords(!)

        Yeah, we should all use passwords instead(!) <ahem>

        4 digits is OK for a PIN - it's not like you can stand at the ATM/checkout and try and brute force it.

        an 'easy' way round this problem is to make customers give their cards to the cashier who then inserts the card into the reader. The customer then enters the PIN on a separate keypad and the card is returned at the end of the transaction.

        let's face it there's never going to be a secure way of doing this. However at least now banks (should!!) now have to admit that chip & PIN is not secure as they made out and take some of the liability themeselves.

        1. The Commenter formally known as Matt
          FAIL

          make customers give their cards to the cashier

          afaik the cashier is not allowed to touch the card at all. If you recall all the recent cc fraud cases have involved criminal cashiers!

  9. Aristotles slow and dimwitted horse
    Stop

    About time too...

    This research is welcome news.

    It's about time that the banks were pricked into realising that just because some ill qualified spokesperson says that it is "secure" - doesn't necessarily make it so.

    It's an absolute crime that so many defrauded people have been treated like criminals themselves by banks that take have taken no real responsibilty for this ill designed system.

    Wankers.

  10. john loader

    Not the only bust bank security

    After preventing me renewing my Skype in despite using "Verified by Visa" my bank tells me that it does not consider that system "foolproof" . In fact it says no system is foolproof - funny how banks usually say the opposite .

    So Verified by Visa that uses a separate secure site with a passowrd only known to the user is rubbish according to a leading High Street Bank. Thought it was supposed to guarantee secure online transaction

  11. Rakkor
    FAIL

    Newsnight

    Last night's Newsnight revealed how this was done and the response of the issuing banks was "it's not our fault, it's a system failure" which I suppose is valid, if a little worrying. Whereas the FSA's response was to stick their fingers in their ears and say "Naaah Naaaah Naaah Can't hear you" Not good enough for a body that is supposed to oversee this kind of thing.

  12. Anonymous Coward
    Happy

    Broken

    What with this and the much hated "verified by Visa" scheme, I think what needs to happen is that the whole card security thing should be taken away from the banks, analysed by a bunch of people who know what they are doing, come up with a GOOD solution and then dictate to the banks what they should do.

    As it stands, and as has been pointed out many many times previously, the existing security measures have nothing to do with security at all; they are all to do with indemnifying the banks against loss. They do not protect the consumer against fraud, and they do not protect the retailer either; the ONLY people that are protected are the banks. This has to change, and clearly the banks are not the organisations to do it.

  13. Martin Chandler

    This was on the BBC... yesterday

    Also, on the Newsnight programme was BBC Science reporter, Susan Watt's debit card details including sort code and account number!

    1. Bah Humbug

      The title is required, and must contain letters and/or digits.

      A bit careless perhaps, but no more information than you give someone when paying by guaranteed cheque in a shop (if you can find a shop which accepts them anymore, which is a whole different rant!)

  14. Neill Mitchell

    Hmmm.

    Spend tens of millions rolling out a fix or wriggle out of paying claims by blaming the customer. Which strategy do you think the banks will go for?

  15. Anonymous Coward
    FAIL

    Chip and Pin...

    .....was never about protecting customers, it was all about shifting blame and liability to retailers and customers from the banks."

    Customer: "My card has been used fraudulently to purchase something"

    Bank: "Our systems indicate that your PIN number was used, nothing we can do"

    Customer: "But it wasn't me"

    Bank: "Our systems indicate that your PIN number was used, nothing we can do"

    Customer: "But it wasn't me"

    Bank: "Our systems indicate that your PIN number was used, nothing we can do"

    Customer: "But it wasn't me"

    Bank: "Our systems indicate that your PIN number was used, nothing we can do"

    Customer: "But it wasn't me"

    Bank: "Our systems indicate that your PIN number was used, nothing we can do"

    and so on...

  16. Ihre Papiere Bitte!!
    Thumb Up

    On the news last night

    They showed BBC journos actually doing this for real at the Cambridge Uni canteen - getting cashback as well as paying for goods. Unless the cashier was paying attention (and how often does THAT happen?) it's unlikely that they would notice anything amiss. Let's face it, they're very rarely looking at the card when inserted (as is right and proper - I don't want them watching whilst I enter my PIN), so with a little discretion, they wouldn't notice the gear or that the user was punching 0000 for the PIN entry.

    It was interesting viewing, and with some refinement (eg to the equipment used for discretion) could be a significant problem.

    The banks immediately came back saying that they can detect these transactions after the fact, but, as the journos stated, none of their "test transactions" were picked up by their banks, all went through without a problem. "Chip and PIN is a secure system" was the quote, I believe...

    Kudos to Cambridge uni for showing up the shortcomings here. Added to their blasting of the Verified by Visa / MasterCard SecureCode (or whatever they're called) last week (?), they're on a roll to let people know that the best way to buy anything offline is with paper money, and not to trust the banks to look after our money (like we need extra evidence to that effect!!)

  17. Anonymous Coward
    Unhappy

    It was only a matter of time

    As any fule kno, no system is 100% foolproof and someone was always going to find a way round chip & pin. What's questionable is the card issuers' stance on this - even if it is conclusively proven that their system has holes, will they still refuse to protect their customers who get defrauded in this way?

    1. Alan Esworthy
      Boffin

      foolproof?

      You mean "fuleprufe" don't you?

  18. BruceWayne
    Pirate

    Not quite

    The card also retains a 'history' of what happened during a transaction - the CVR. This will indicate that the PIN has not been verified. The CVR is sent to the issuer host via the acquirer network and thus if the issuer system is setup to crosscheck the TVR with the CVR (to ensure consistency in what the card and the terminal are reporting in terms of cardholder verification) - this will 'inconsistency' will be picked up. The issuer host may then decide to decline the transaction and raise appropriate alerts if need be.

    In my opinion - close - but no cigar!

    1. Anonymous Coward
      Stop

      RE: Not quite

      Close but... just a little too close.

      It worked and even when the banks were called, they stated that there had been no dodgy transactions.

    2. Peter Fairbrother 1

      Points arising

      @BruceWayne: The TVR does not contain the method by which the card was verified by the reader (unless verification fails). See the paper for details. If it did it would mean a cheap fix was possible, but I don't think there is one.

      The Banks will probably have to replace all the cards and terminals, though they might get away with just replacing the cards and putting something in the IAD, which would however be a less-than-satisfactory solution

      @Zerofool2005: Yes, it's not a new attack, but it was demonstrated well and for the first time in public here. I think Steven Murdoch, one of the authors, also did some of the earlier theoretical development.

      I do agree that others (Chris Mitchell?) should have been mentioned for previously pointing out the possibility of the attack, but that's maybe because I pointed out the relay attack long before the Cambridge group did their paper on it.

      However I wasn't going to demonstrate the relay attack, and hadn't published a paper on it, just posted it to a crypto mailing list.

      In their papers cryptologists often take the attitude that it doesn't exist until it's published, which has some merit. But a mention in the footnotes or references would be nice. Otherwise it makes them seem to claim to have invented something when they haven't.

      @Homard: TVR stands for terminal verification results, but that doesn't mean much unless you know the context. The paper contains the clearest description of the very complex chip and pin protocol I have ever seen, so if you want to know what a TVR and CVR really are I can only suggest you read it.

  19. Andrew Watson

    Get a Chip-and-signature card instead

    I refuse to use Chip-and-PIN - there have been too many verified attacks on the system over the years.

    If you press your credit card company, they can issue you with a Chip-and-signature card (also sometimes called a "PIN suppressed" card). Although the card has a chip, every face-to-face transaction is verified by a signature, leaving a permanent paper record which can be inspected later (by the courts if necessary) if the transaction is disputed.

    I've had a C&S card for 4 years, and never have any trouble using it. Many cashiers tell me they think it's "more secure" and a "good idea". If you have a C&P card, I recommend calling your credit card company and asking them to send you a C&S card instead.

  20. Graham Marsden
    FAIL

    Chip and Pin always was broken...

    ... since it was really all about shifting liability away from the Card Companies rather than actually making transactions secure.

  21. Anonymous Coward
    Flame

    Only a matter of time...

    The whole point of the Chip&PIN system from the outset was not to provide security - anyone with two brain cells connected knew it was only a matter of time. This is just the latest exploit - others have existed for ages. It's over a year since my own card was compromised by a dodgy reader in a supermarket.

    The point of the system is to shift responsibility for card security, and any resultant blame and costs, to the customer and leave the banks - who don't know half as much as they think about digital security (and don't much want to know) - to sidestep the problem and concentrate on making profits.

    My latest card can be read inches away - I didn't ask for the feature, didn't want it, and am currently trying to arrange a card without it. In the meantime, how long before someone compromises my card while it's still in my pocket?

  22. Mage Silver badge
    Pirate

    It's about reducing Banks' liability not about stopping Fraud :(

    I've always said that Chip & PIN was always about reducing the Bank's liability to Fraud. Not actually really more secure or reducing Fraud. With a signature you can prove it's not you and get the money back, with Chip & PIN you can't. Thus Bank "Fraud" drops.

    Of course RFID for credit/cash cards or Passports is even more stupid. A technology designed to replace Barcodes (which can be photocopied) and RFID is not inherently a technology designed for Secure applications. Because RFID is unique "fingerprint" even if you don't decode it, an RFID "reader" at each location that your "mark" might use lets you track where the RFID is. If the "mark" realises, you could of course be tracking someone else that had the "tag" dumped on them.

  23. Mage Silver badge

    SmallYellowFuzzyDuck, how pweety! Busted, yeah right #

    You'll be able to get a kit on eBay or someplace.

    How many people bought card readers (as cheap as £10) to edit ITV digital Cards?

    How many people do Card Sharing on Satellite receivers.

    Same ISO reader will talk to card.

  24. Retired Geek
    Thumb Up

    But at least you Brits can check it

    Here in the US the research would have got them arrested. DCMA "protects" us from anyone proving that crap security is just that.

    1. Chris007
      FAIL

      I was under the impression

      that the DCMA didn't stop academic research?

      Plus for this they haven't reverse engineered anything so I am unsure as to which bit of DMCA they would be in breach of.

      (I am not an american so do not profess to be an expert on DMCA!)

      FAIL = DMCA

  25. John Smith 19 Gold badge
    Happy

    @BruceWayne

    "The card also retains a 'history' of what happened during a transaction - the CVR. This will indicate that the PIN has not been verified. The CVR is sent to the issuer host via the acquirer network and thus if the issuer system is setup to crosscheck the TVR with the CVR (to ensure consistency in what the card and the terminal are reporting in terms of cardholder verification) - this will 'inconsistency' will be picked up. "

    Well that's excellent and clearly there's nothing to worry about.

    Hang on. Did I spot an "if" in that paragraph? I think I did. I'd say that at least in this banks case they do *not* run such a comparison.

    After all it will no doubt lower their card processing volume.

  26. Trevor Pott o_O Gold badge
    Dead Vulture

    PIN NUMBER

    AUUUUUUUUUUUUUUUUUUUUUUUUUUUUGH *bang*

  27. Anonymous Coward
    FAIL

    Old News...

    Ive seen this been talked about before. These Cambridge researchers seem to always latch onto something that is like 6 months old.

    Ive even disucssed with my business partner about the systems used "if pin.verified==TRUE { process.transaction }

    Force pin.verified to be TRUE spoofing etc. process.transaction will occur.

  28. Henry Wertz 1 Gold badge

    @Chris007

    Don't know if you are being sarcastic, but DMCA has absolutely been used to suppress research. There's several incidents THAT I KNOW OF (how many that I don't know of, I don't know...) where someone either started research, or had completed research and was ready to present it at a conference, when some heavies show up and are like "if you proceed you will be sued under the DMCA". One of them had the balls to tell them to piss off and just presented the research anyway, but the fact is that people due use it as a threat to stifle research.

    Anyway, i don't know if we even have chip and pin in the states. but I have avoided a debit card for the same reason -- credit cards, the credit laws are pretty strict, the credit card company assumes liability for any fraudulent transactions. You call them, they take the transactions off your bill and either get the money back or eat it. Debit card? The money's already out of my bank account, and although most banks will put the money back for faudulent transactions they are not required to.

    1. Chris007
      FAIL

      Nope - not being sarcastic

      Maybe I should have worded it "that the DCMA should not be used stop academic research and that anybody invoking DCMA should be taking to court for wasting time and money"

      It is certainly clear what the DMCA is actually for rather than what it was sold to the public on - but those of us who saw it's rise to become law (even in the motherland) could see that.

      FAIL: American govt for continuing to cow-tow to big business

  29. Werner McGoole
    Joke

    Since the taxpayer seems to own most of the banks these days

    Why don't we get the government to design a secure card system that all the banks can use? I'm sure it can't cost that much to set up a little IT contract or three and a few, err, databases and, um, maybe get some biometric scanners, and ...

  30. Law
    Paris Hilton

    lucky me!

    I had a replacement barclaycard this week... without me asking for it, my card now supports wireless payments!! Yey me... I'm sure being wireless it will never be a subject of any security concerns...

    *begins lining wallet with tinfoil*

  31. Homard
    Grenade

    @brucewain

    WTF ????

    CVR is what ? TVR = ?

    I guess you work in a bank as you can't talk straight.

    As to chip and bin, if you use a credit card you are surely protected by the consumer credit act ?

    So when they claim they are not liable, you claim you did not receive the goods. It then becomes the problem of the useless wanktards at your bank to recover the monies.

    merchant bankers !

    1. Trevor Pott o_O Gold badge

      @Homard

      People far better versed in the law than either you or I have spent billions (literally) of dollars *ensuring* that when they make the claim "we are not liable," they are correct.

      They did this not by ensuring the security was good, but by ensuring their law was.

      I guarantee you, if you use own a chip + pin card, even if you cut it up the day you receive it, and a charge appears on your account that is "verified by pin," you are liable, case closed.

      Why the fnord do you think they came out with the thing to begin with?

      1. Andy 66

        @Trevor Pott o_O

        Don't know what the process is over there, but over the channel you have to activate your card by withdrawing cash at a bank machine. So if you receive your card and never activate it, yet receive charges against that card, you have grounds to oppose them

        1. Trevor Pott o_O Gold badge

          @Andy 66

          This is true here as well, (for credit cards at least.) Our Chip-and-Pin debit cards require no activation.

          That said an inactivated card is useless to me as well. What I want is the ability to specify "this credit card will only ever be used for online transactions, and no transaction will ever exceed $X" If I have an activated card, even if I cut the physical card up...it can be cloned and used anywhere and I am liable for it.

          My bank will not offer me the ability to restrict where my card may make purchases. Instead, I am paying $25 a month to them for identity fraud insurance.

          Beer, because banks make me angry, and now I need a pint.

  32. peter wegrzyn
    Unhappy

    Chip and Pin is definitly faulty

    For personal experience, there is a flaw with chip and pin. I used a terminal at my local fish monger. Twice it report that the pin number was invalid, so I paid with another credit card.

    I was billed for both failed payment attempts (as well as the payment on the other card).

    Barclay's sent me a form which made me basically accuse the shopkeeper of fraud. There was no way to fill it in explaining that Barclay's has stolen money from my account, not the shopkeeper.

    Barclay's refused to accept that it was possible to withdraw funds without a valid pin being entered - but it is.

    I never received a refund.

  33. Bill Cumming
    FAIL

    I want one of those kits....

    ...the number of times i've forgotten which 4 digits go with which card is annoying... :)

  34. Version 1.0 Silver badge

    How to fix chip and pin

    20 seconds on high in the microwave.

    1. Trevor Pott o_O Gold badge

      Sorry, but this is wrong...

      If your chip and pin card has been cloned and is then used, you are liable for it. You may have destroyed your original card, but you are still liable for all the fraudulent transactions, becuase "chip and pin can't be beat."

      The only way to fix chip and pin is NEVER TO GET ONE.

  35. Anonymous Coward
    Anonymous Coward

    @Chip and PIN is not to prevent fraud people...

    It seems to be said a lot here that the Chip and PIN system wasn't put in place to prevent fraud, rather that is was put in place to shift responsibillity for fraud onto the customer. I really don't buy this there are precious few, if any, reliable/serious people claiming fraud on their cards. In the only time it's gone to court that I am aware of, the person claiming fraudulant use of the card was shown to be a highly unreliable witness.

    The main thing that people seem to be overlooking is that there is a banking regulator, one of the main reasons that the regulator is in place is to prevent the banks getting too much power over their customers and imposing unfair conditions. The regulator hasn't performed too well over the last couple of years, with respect to how the banks behave internally wrt trading etc, but this was because they were focusing too much on how customers are treated. If the banks were operating in a way which forced liability onto their customers the regulator would not allow it.

    In this case there does seem to be a problem with chip and pin, but chip and pin is not fixed in stone, it can be modified to work around problems. One of Ross Anderson's previous papers (cited in this one) showed how to run a man in the middle/relay attack, this was made unworkable an a matter of weeks with an update to the chip and pin protocol.

    1. Chris007
      Grenade

      You've missed the point

      Before C&P came into being, if your card was used fraudulently (excluding CNP fraud) the defrauded person only had to ask for a copy of the signature to prove it wasn't them - Very easy to show it wasn't their signature and bank had to cough up.

      Now, as there is no "paper" trail you (a defrauded person) have a mountain to climb to prove it wasn't you. Personally I am now going to ask for a Chip and Signature card from each of my card suppliers.

      1. Anonymous Coward
        Anonymous Coward

        Err...

        So what you are saying is that with magstripe/signature, if you wanted to defraud a bank all you had to do was mess up your signature and they'd just hand over the cash when you said "fraudulant activity" to them? Do you really believe that is was that simple?

        It's just the same now as it was with magstripe and signature, an investigation takes place, sometimes the customer will be required to hand over evidence such as their card etc, the police will probably be involved, CCTV will be acquired if applicable etc. etc. The only change is that there are currently no known frauds that have taken place in chip and pin areas where a customer hasn't in some way handed over their PIN.

        1. Chris007

          errr. Still missing the point

          I am not on about ME committing fraud, I am talking about fraud committed on my card (or cloned card).

          Using the old system of Signature it would be easy for the bank to check that the signature does not match mine and thus give me my money back.

          With C&P, as long as the crooks used my pin the bank can stick the story that as it was verified by PIN they will not give my money back. Without CCTV or other visible evidence you're gonna have a very hard time proving your case.

          You also said "The only change is that there are currently no known frauds that have taken place in chip and pin areas where a customer hasn't in some way handed over their PIN."

          I'd say "There have been no court cases whereby C&P fraud was committed and it was proved that the complainant had NOT in some way disclosed their PIN". The bank(s) chose that case very carefully and deliberately. Anybody who followed it from the start could tell the person was an idiot.

          In addition just because YOU don't know of any frauds capable of being carried out does not mean they don't exist

          1. Anonymous Coward
            Anonymous Coward

            @Chris...

            A bank will/would not just automatically refund a signature verified transaction where the signature doesn't match because of the *possibility* that the card owner has fraudulantly used their own card and signed with something that isn't their own signature, furthermore the card has the signature on the back making it much easier to fraudulantly use by clone or theft. Any fraudulant use will be investigated, the same with chip and pin, although with chip and pin your authorsiation method isn't written on the card.

            Now as to your assertion that the banks carefully chose the case of the guy who claimed that his card had been fraudulantly used: They don't get to only have one go at this, that's not how the law works, if someone else comes along with a credible case they also get to take them to court. If lots of credible people complain to the regulator, the regulator will investigate.

            I was also very careful to not say that because explots aren't known in the wild, doesn't mean to say there are any, however the lack of credible reports does suggest that there aren't.

            1. Chris007

              @Fraser

              I didn't mean to give the impression that a bank would automatically refund my point was more along the burden of proof if it came to a court/civil case. It would be easier to prove that it isn't your signature as opposed to proving you didn't input the PIN if no other visible evidence is available to prove it wasn't you.

              Also, I agree that the law doesn't work that way however the banks have only allowed that case to go to court - knowing it was a slam dunk for them. I am fairly sure that there have been a couple or 3 other examples where the card owner has threatened to go to court only for the banks to "refund as a guesture of goodwill without admitting any liability". Unless they are forced to the only case on the books is the idiot one.

              A lack of credible reports only means that they haven't been discovered ;-)

  36. Wim Ton

    Solution

    As indicated in the paper, the card check the PIN result from the terminal with it's internal PIN result and take appropriate action if they do not match (decline or online)

  37. Anonymous John
    Happy

    The PIN is required, and must contain four digits.

    At least Chip and Pin is automatic,and doesn't rely on a human comparing two signatures.

    A few years ago presented a new card I'd forgotten to sign.

    So I signed it. Luckily both signatures matched and everyone was happy.

  38. strewelpeter

    Paper ignores the facts

    IAD is specified by EMV - a fact they deny then publish later in the paper.

    What they have proven here is nothing more than that there is an issuer somewhere who has not passed Visa and Mastercard Certification who is willing to approve transactions from a terminal that they know is PIN capable that they also know has not verified a pin.

    And from that they are concluding that EMV is broken - utter rubbish.

This topic is closed for new posts.