Cambridge University researchers have found a flaw in the Chip and PIN system that could open the door to fraud.
The researchers managed to trick a card reader into authenticating a transaction, even though no valid PIN was entered. It involves a second card reader in a back pack, which the researchers called the “man-in-the-middle”.
The fraudster puts the stolen credit or debit card into the shop’s reader but then the second reader sends a ‘PIN okay’ signal to the shop terminal. The shop terminal sends back a transaction go-ahead signal to the terminal with the stolen card and money is taken off it.
Saar Drimer, one of the Cambridge team, said: “At the end the receipt says ‘verified by PIN’ so the bank is going to think the PIN is entered directly, but the criminal actually did not know the PIN.”
The researchers, who have contacted banks about the loophole, said the engineering and programming skills necessary to make a man-in-the-middle device to conduct the attack are relatively simple.
There are ways the banks could upgrade the Chip and PIN system that would prevent this attack working for most transactions in the UK, said Steven Murdoch, who also took part in the Cambridge University research
Two years ago the same team showed that criminals could tap into the communications between a pin terminal and a customers’ card and access enough information to create a cloned card.