Cambridge Scientists Demonstrate Vulnerability of Chip Cards

Computer scientists in the U.K. have found a way to trick point-of-sale terminals into accepting virtually any made-up PIN to authorize a transaction made with a chip card. This is one more discouragement to the U.S. card industry, which has been slow to adopt chip cards for cost reasons.

A BBC Newsnight segment on the Cambridge work will air tonight at 10:30 but can be viewed here. The team have also authored a technical paper, "Chip and PIN is Broken."

According to the researchers, fraudsters can easily insert a "wedge" between the stolen card and terminal, which tricks the terminal into believing that the PIN was correctly verified. In fact, the fraudster can enter any PIN, and the transaction will be accepted. They have tested this attack against cards issued by most major U.K. banks and it has worked every time.

The researchers also say that victims of such attacks may have a difficult time being refunded by their bank. The receipt produced will state "Verified by PIN," and bank records will show that the correct PIN was used. Banks may then argue that the customer must have been negligent and had allowed the criminal to know their PIN. Such attacks do not require technical sophistication and can be carried out with equipment that can be easily hidden in a backpack, the academics say.