Researchers from Cambridge University claim to have uncovered flaws in chip and PIN technology, which means transactions are a lot less secure than thought.
The flaw makes it possible for crooks to buy goods or withdraw cash in such a way that banks and card companies cannot distinguish from genuine transactions, in what the researchers descibe as a "chip and skim attack".
The revelations should serve as a warning to financial services firms and their customers – who were told chip and PIN would put an end to card cloning operations – as well as law enforcement, wrote Mike Bond, a security researcher at Cambridge University's Computer Laboratory, on the group's blog.
“It can no longer be taken for granted that data in a transaction log was harvested at the time and place claimed, which undermines the reliability of evidence in both civil and criminal cases,” he said.
The flaw in the chip and PIN system relates to the way terminals generate so-called unpredictable numbers to verify transactions.
The Cambridge team had spoken to a number of people, who reported having been charged for transactions, even though their card and PIN had not been compromised. By examining the log files associated with the suspicious transactions, the researchers discovered that far from being random, the unpredictable number was often highly predictable.
They set about buying second-hand ATMs on eBay to study the behaviour of their random number generators in detail. The researchers discovered that many of the systems produced little more than counters, making it possible for crooks to guess authorisation codes.
“The result is that a crook with transient access to a payment card – such as the programmer of a terminal in a Mafia-owned shop – can harvest authentication codes which enable a “clone" of the card to be used later in ATMs and elsewhere,” the team concluded.
The group said it had already warned banks and card providers about the potential flaws, and was releasing the information now so that customers complaining about fraudulent transactions were better informed.
The research is being presented at the Cryptographic Hardware and Embedded System 2012 workshop in Leuven, Belgium this week.
Kicking Palantir off of AWS is among their demands, too
Rafaela Vasquez was watching The Voice at the time of the crash, new evidence shows
PUBG price slashed on Steam after selling more than 50 million copies - as daily player numbers plunge
Use the same password for every website? It might be time to change them all