Chip and PIN flaw could sting cardholders

A FLAW has been discovered with chip and PIN technology which could result in Irish credit card holders being liable for any money stolen from them.

Researchers at Cambridge University have discovered a way stolen credit and debit cards can be used by fraudsters without them knowing the PIN number.

It involves a fraudster putting a stolen card into a shop’s reader and linking it with a second reader in their back pack that would send a signal to the terminal to say the PIN is OK.

Colm Fagan, head of security at Irish IT security firm, Espion, said if this scam was to hit Ireland it could mean that a victim would have their claim for a refund turned down because when chip and PIN was introduced it transferred the onus to the owner of the card as they would be the only ones who would know the PIN number.

Professor Ross Anderson of Cambridge University, who worked on the research said chip and PIN is “fundamentally broken”.

“We think this is one of the biggest flaws that has ever been uncovered against payment systems, and I’ve been in this business for 25 years,” he said.

However Mr Fagan said the threat to Irish card holders is “quite low”.

“If you look down through the chain of what is needed to carry this out it’s pretty long and any merchant would want to be blind not to notice that this was going on.

“However technology is advancing all the time and a discrete version could be developed but it is good that this has been discovered now so that security measures can be developed to stop it happening,” he said.

The Cambridge researchers said they carried out a test that tricked a card reader into authenticating a transaction, even though no valid PIN was entered.

However credit and debit card providers have dismissed the claims that fraudsters were able to exploit flaws in the chip and PIN system.

The Irish Payment Services Organisation (IPSO) said chip and PIN is the safest form of payment and has reduced specific types of fraud by up to 60% in recent years.

Chip and PIN was introduced in Ireland in 2006 and involved the rollout of 47,000 terminals and over 3.5 million cards.

The British Cards Association said while the research shows it it possible to steal money this way, it does not mean it is practical. A spokeswoman said: “We believe that this complicated method will never present a real threat. It requires possession of a card and unfortunately there are much simpler ways to commit fraud at much less risk to the criminal. This fraud is also detectable.”

More in this section

Puzzles logo
IE-logo

Puzzles hub

Visit our brain gym where you will find simple and cryptic crosswords, sudoku puzzles and much more. Updated at midnight every day.

Puzzles logo
IE-logo

Puzzles hub

Visit our brain gym where you will find simple and cryptic crosswords, sudoku puzzles and much more. Updated at midnight every day.