New flaws in chip and pin

[G+_Dallam Oliver-Lee]

New flaws in chip and pin

[G+_Christopher Lowery]

That's bad...but nowhere near as bad as the thirty plus year old system the U.S.still relies on. Chip and pin is still worlds ahead of us; we need to get in to the current century.

[G+_Stefan Schüller]

Can't banks just block the card from accepting signature transactions?

[G+_Curtis Blackburn]

How old is this video?

[G+_Dave Trautman]

So, if I understand this video correctly I need to be in physical possession of someone's card in order to clone it to another blank and assign a zero pin configuration on it.  As I recall I have not handed over my chip-pin card to anyone in the past couple of years.  I also see from the video the card has to remain connected to some sort of circuitry in order to spoof the card reader at the retail outlet.  Seems a rather clumsy demonstration of something which very few people will have to deal with.

 

I've been using a couple of chip-pin cards for a long time now and I've only been defrauded three times.  Each time it was the retailer who was the culprit.  The last was an employee who was recording all the transactions and gathering PIN information at the counter.  The second last was a retailer who was going out of business and resorted to selling the information from customers.  But the first was technically much more brilliant than the Cambridge Team demonstrated.

 

The first time I was told my card was fraudulently used was after buying a burger in a Wendy's.  The reader had been replaced by really good con-men for one they had outfitted with a bluetooth transmitter.  They then sat in a van outside the Wendy's and received data from the reader for most of a day.  It was only when they were testing the cards in another city and province that this came to light.  They were found and prosecuted because the system, which monitors the transactions for the various banks here, saw too many people from one city buying things in another city.  What money they did take was returned to me once I filled out my police report.

 

In all the other instances the fraud was detected before anyone got at my cash.  The third was interesting in that I was in line just ahead of a pair of cops who were asking to talk to an employee who appeared not to be on shift right then.  Within hours I was notified to come and change my PIN and produce my card.

 

There are actually many stories told of people who made a series of purchases in a single day (or within a few hours) which triggered a pattern of buying normally associated with criminals who steal cards.  These people were contacted and had to verify they were rightfully in possession of their card.  I too had this happen and was happy to take a call from VISA regarding my day's purchases.  There are some red-flag combinations which immediately cause a card monitor to stop payments and contact the owner.  At least where I live (which is not in the USA).

 

As much as there may be a way to neutralize a card by cloning it and put your own PIN on it, this is not the kind of flaw which would need to re-think the entire process.  I believe a simple 'confirmation' step would be possible to ensure the PIN was not compromised.  As was inferred from the report video it would be possible to check against the recorded transactions on a card with recent purchases to determine if a clone of it existed.  Some card terminals could be capable of randomly checking with the system and seeing if the transaction record was inconsistent with the card being used.

 

Does this not also make a stronger case for the fingerprint authentication system in Apple's new phone being used to identify the person making a payment on their ?PAY service?

[G+_Dallam Oliver-Lee]

They got software running on their man in middle device that allows them to extract the data from the origional credit card or cloned credit card. They found ways to clone chip and pin too. The man in the middle device allows them to type whatever pin they want anf the merchant system thinks its the right pin. The pin never gets transmitted to the bank for verification. ?

 

Detailed technical video of flaw: