Chip and pin flaws - are security evaluations robust?

Researchers at Cambridge University Computer Laboratory say they have shown that chip and pin machines are not as secure as the banking industry claims.

They claim that two widely-deployed models of pin entry devices fail to protect customers’ card details and pins adequately. BBC 2’s Newsnight on 26 February 2008 broadcast a short film on the findings of the Cambridge researchers.

Fraudsters, say the researchers, can easily attach to the PIN entry device a `tap’ that records PIN and account details as they are transmitted between the card and the PIN pad. Armed with this information, fraudsters can create a counterfeit card and withdraw cash from ATMs abroad.

One of the researchers, Steven Murdoch says, `We have successfully demonstrated this attack, on a real terminal borrowed from a merchant.’

The researchers question the system under which bank terminals are certified. Visa and APACS certified have certified the devices mentioned by the researchers as secure, and suppliers are promoting the equipment to retailers.

Ross Anderson, professor of Security Engineering at Cambridge, says that the weaknesses exposed by Cambridge researchers apply to other equipment such as voting machines and electronic medical record systems.

He said:

“Where the public are forced to rely on the security of a system, we need honest security evaluations that are published and subjected to peer review.”

Another of the Cambridge researchers Saar Drimer said: “The vulnerabilities we found were caused by a series of design errors by the manufacturers. They can be exploited because Britain’s banks set up the chip and pin system in an insecure way.”

He continued: “These pin entry devices failed to protect the communication path that carries the card data from the card to the pin pad, and that carries the pin from the pin pad back to the card. A villain who taps this gets all the information he needs to make a fake card, and to use it.”

APACS and Visa have said that the devices were evaluated under the Common Criteria, an international evaluation scheme administered in the UK by GCHQ; but the researchers say that GCHQ’s officials have no record of this.


Since posting the blog entry above Cameron Olsen, VP Business Development of chip and pin software specialist, Smart Technology Solutions, writes about the “big flaw” with many cards as they are now:

“There is no evidence that says that chip technology has been cracked. Yes, the UK does use Static Data Authentication [SDA] cards; however there will be a move towards Dynamic Data Authentication [DDA] at some point which will provide more security.

“The UK banks are now paying some of the price for going with SDA rather than DDA cards when they were rolling out chip & PIN.

“The big flaw with cards at the moment is the fact that there are legacy magnetic stripes on the cards. This technology is exceptionally insecure and there needs to be a strong push to do away with this technology. The fraud cases highlighted by the article are more than likely to be magnetic-stripe fraud and the one chip fraud mentioned is almost 100% likely to have been fraud on the magnetic-stripe where the chip was damaged (forcing it back to the magnetic-stripe) or the card has been used by someone unauthorised.

“Additionally, the Payments Card Industry Pin Entry Device is currently dealing with the physical security of chip & PIN, by rolling out their 1.3 and 2.0 standards, to ensure that the PIN code and related data is kept secret. These standards are an upgrade from the old Visa PED standard.”

[Smart Technology Solutions provides smart card software that relays information contained on smart cards to hardware devices such as a retail payment terminal and connected IT systems.]


My blogger colleague David Lacey has made this point about the findings of the Cambridge researchers:

“I see that Cambridge University have hit the news again with claims of flaws in Chip and PIN reader technology.

“All commercial systems have security weaknesses. They are a compromise between cost and potential losses. We don’t always get it right. Sometimes we spend too much, sometimes too little. What counts is whether the weaknesses actually lead to losses, and there’s no evidence that any attacks of this nature are being mounted or contemplated.

“But regardless of that, it’s irresponsible to publicise weaknesses that cannot be readily addressed in systems affecting millions of customers.”


David Lacey’s blog

Common criteria project

Cambridge university website on chip and pin vulnerabilities

Cambridge academic paper

Cambridge University uncovers chip and pin flaws