Academics have raised serious questions about the security of the Chip and Pin payment system after demonstrating security flaws that allow criminals to make payments from a stolen card without the Pin.
Researchers at the University of Cambridge say the flaws are so serious that banks, credit card companies and retailers should consider the Chip and Pin system broken, until it is redesigned.
Banks have long claimed that it is not possible for criminals to make payments using stolen Chip and Pin cards without knowing the Pin, but the Cambridge researchers have shown that criminals can use a "Man in the middle" attack to trick payment terminals into accepting card payments without the four-digit Pin.
"Attacks such as this could explain the many cases in which a card has supposedly been used with the Pin, despite the customer being adamant that they have not divulged it," the researchers argue in a paper published by Cambridge University's Computer Laboratory.
The paper describes a flaw in EMV, the protocol used for smart card payments, which can be exploited by criminals to trick the card into thinking the owner is authenticating the card with a signature, while the terminal believes the transaction is made with a Pin.
"The upshot is that you can buy stuff using a stolen card and a Pin of 0000 or anything you want," Ross Anderson, a professor at Cambridge University, wrote in a blog post. "We did so on camera, using various journalists' cards. The transactions went through fine.
"We get reports weekly from victims of phantom withdrawals. These include large numbers of stolen cards used to make purchases in the window between theft and the cancellation of the card," said Anderson.
"Currently these victims are denied refunds by their bank, but this attack could explain some of the fraud we are seeing," he said.
Steve Brunswick, strategy manager at Thales Information Systems Security, said that despite the findings, Chip and Pin is the most secure way of protecting payment transactions currently available.
"The bigger problem lies not with Chip and Pin technology itself, but rather with the differing levels of adoption of advanced security technologies and procedures across the industry," he said.