Chip and PIN is no longer secure
Earlier this month, Cambridge University demonstrated successful attacks on Chip and PIN technology. Nobody is surprised. After reading numerous reports from reputable sources, here’s what we’ve been able to determine.
First, it’s important to note that Chip and PIN has been ubiquitous in the UK for several years and is currently being deployed in Canada. There hasn’t been widespread use in the US yet but the technology is being pushed.
Apparently, nobody ever thought it was secure. I certainly didn’t because I don’t believe any credit card technology is secure; just that some is a little more secure than others. It’s been reported that HSBC in London, one of the world’s largest banks, issued this statement about the Cambridge announcement.
“Although they have raised a clear security concern with regards to chip-and-PIN, which we are taking very seriously, the problem highlighted is relevant to all card issuers and not just HSBC.”
Note that nowhere in that statement did they deny that the hack was a reality.
According to at least one report, the equipment needed to accomplish the hack was too big and bulky to go unnoticed. But there are others that claim to have seen and video recorded the attack and it went totally unnoticed. I haven’t found any posted video yet so I can’t say one way or the other. But I would ask you how much suspicion a person with a back pack or laptop bag would attract. My guess is, not very much. Cashiers don’t even look at signatures these days. Whether the hacking technology is palm sized or truck sized, the fact remains that it can be done.
As usual, what we’re seeing is that the banks have no incentive to make this, or any, technology secure because they can pass the liability off to others. In this case, it looks like it will be the cardholder. The reason for this, apparently is quite simple. The hack collects enough information from a transaction to make subsequent fraudulent transactions look like the PIN was entered. That puts the burden squarely on the cardholder.
Even more interesting is a report contained in a story from SecureIDNews. This story said that, “The Smart Card Alliance has reviewed the hack along with other industry organizations and concluded that widespread implementation of this attack is unlikely.” The mysterious part is that, according to Smart Card Alliance Spokeswoman Deb Montner, the Smart Card Alliance–to her knowledge–has reached no such conclusions and has issued no such statement.
I won’t go into how the hack is carried out. I’m not a security expert so most of it is over my head. If you’re interested, there are some details in a recent Store Front Backtalk article.
We probably won’t see any wide-spread hacks from this any time soon, but I believe that once they start, they’ll grow rapidly. Cardholders will pay the price.
