Researchers from Cambridge University claim to have uncovered flaws in chip and PIN technology, which means transactions are a lot less secure than thought.
The flaw makes it possible for crooks to buy goods or withdraw cash in such a way that banks and card companies cannot distinguish from genuine transactions, in what the researchers descibe as a "chip and skim attack".
The revelations should serve as a warning to financial services firms and their customers – who were told chip and PIN would put an end to card cloning operations – as well as law enforcement, wrote Mike Bond, a security researcher at Cambridge University's Computer Laboratory, on the group's blog.
“It can no longer be taken for granted that data in a transaction log was harvested at the time and place claimed, which undermines the reliability of evidence in both civil and criminal cases,” he said.
The flaw in the chip and PIN system relates to the way terminals generate so-called unpredictable numbers to verify transactions.
The Cambridge team had spoken to a number of people, who reported having been charged for transactions, even though their card and PIN had not been compromised. By examining the log files associated with the suspicious transactions, the researchers discovered that far from being random, the unpredictable number was often highly predictable.
They set about buying second-hand ATMs on eBay to study the behaviour of their random number generators in detail. The researchers discovered that many of the systems produced little more than counters, making it possible for crooks to guess authorisation codes.
“The result is that a crook with transient access to a payment card – such as the programmer of a terminal in a Mafia-owned shop – can harvest authentication codes which enable a “clone" of the card to be used later in ATMs and elsewhere,” the team concluded.
The group said it had already warned banks and card providers about the potential flaws, and was releasing the information now so that customers complaining about fraudulent transactions were better informed.
The research is being presented at the Cryptographic Hardware and Embedded System 2012 workshop in Leuven, Belgium this week.
Molybdenum ditelluride is a two-dimensional material that can be easily stacked into multiple layers to create a memory cell
New light-guiding nanoscale device can control and monitor a nanoparticle trapped in a laser beam with high sensitivity
Optical traps are scientific instruments in which a focused laser beam is used to exert an attractive or repulsive force on a microscopic object to hold it in place
Scientists estimate that the exoplanet has already lost up to 35 per cent of its mass over its lifetime
The observations were made using the Atacama Array in the Chilean desert