Chip and pin credit card weakness exposed by Cambridge researchers

Chip and pin credit card payment machines could effectively be cloned by exploiting a security flaw claim researchers.Credit cards were found to be open to a form of cloning, despite past assurances from banks that chip and pin could not be compromised.

Poor implementation of cryptography methods were behind the flaw, researchers said.

They accused some banks of “systematically” suppressing information about the vulnerabilities.

The team’s research was presented at a cryptography conference in Leuven, Belgium.

The paper said despite chip and pin being in use for over a decade, it was only recently “starting to come under proper scrutiny from academics, media and industry alike”.

Each time a customer is involved in a chip and pin transaction- be it withdrawing cash or purchasing goods in a shop, a unique “unpredictable number” is created to authenticate the transaction.

The unpredictable number (UN), generated by software within cash points and other similar equipment, is supposed to be chosen at random.

But researchers discovered that in many cases lacklustre equipment meant the number was highly predictable, because dates or timestamps had been used.

“If you can predict the UN, you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location,” said researcher Mike Bond in a blog post.

“You can as good as clone the chip. It’s called a pre-play attack.”

The researchers said they had been in contact with leading banks to detail the risks, but some had been “explicitly aware of the problem for a number of years”.

“The extent and size of the problem was a surprise to some,” the report said.  “Others reported already being suspicious of the strength of unpredictable numbers.”

The paper added: “If those assertions are true, it is further evidence that banks systematically suppress information about known vulnerabilities, with the result that fraud victims continue to be denied refunds.”

The team called for greater scrutiny from financial authorities into the security systems in use by banks.

Chip and pin is the leading processing and authentication method for credit and debit card payments, with many more than a billion cards in use worldwide.

Believed to be far more secure than previous technology, such as a magnetic strip, adoption of chip and pin had led to banks becoming more aggressive when dealing with compensation claims, the researchers said.