Chip & PIN Broken

ZDNet: Chip-and-PIN readers can be tricked into accepting transactions without a valid personal identification number, opening the door to fraud, researchers have found.

Researchers at Cambridge University have found a fundamental flaw in the EMV — Europay, MasterCard, Visa — protocol that underlies chip-and-PIN validation for debit and credit cards.

As a consequence, a device can be created to modify and intercept communications between a card and a point-of-sale terminal, and fool the terminal into accepting that a PIN verification has succeeded.

“Chip and PIN is fundamentally broken,” Professor Ross Anderson of Cambridge University told ZDNet UK. “Banks and merchants rely on the words 'Verified by PIN' on receipts, but they don't mean anything.”

(Also, see Ross’s paper on 3D Secure.)