Researchers warn of chip and PIN flaws

Researchers claim to have demonstrated how a hacker could use a stolen card without knowing the PIN

Researchers at Cambridge University have claimed in a new paper that chip and PIN systems are not as secure as once thought.

The paper, entitled Chip and Pin is Broken (PDF), said that chip and PIN readers could be " fooled" into accepting transactions, despite not having the relevant PIN.

The researchers explained that it is possible to launch a man-in-the-middle attack, effectively blinding the machine to the fraud and letting criminals exploit lost or stolen cards.

Chip and PIN has often been described as a silver bullet for securing transactions, and has been credited with causing a drop in fraud levels. Just this week Home Office minister Alan Campbell said that the system had "reduced fraud on lost or stolen cards to an all time low".

However, the Cambridge researchers claim to have demonstrated how a hacker could use a stolen card without knowing the PIN.

"Since verified by PIN - the essence of the system - does not work, we declare the chip and PIN system to be broken," the paper said.

The risk does not apply to cash machines, but could be exploited on the majority of cards using offline systems, such as those found in shops which connect elsewhere to approve a transaction.

The researchers added that it is during this verification process that the flaw could be exploited.