Researchers Punch Huge Hole in European Payment Cards

Cambridge payment card attack gate array board

Security researchers from the University of Cambridge have demonstrated a flaw with chip-bearing payment cards widely used throughout Europe that could potentially let criminals use any PIN code to confirm a transaction is legitimate, completely bypassing the card’s safety technology. The attack requires detailed knowledge of how the chip-and-PIN cards operate along with some external hardware: it basically executes a man-in-the-middle attack that fools point-of-sale terminals into believing they have received a valid PIN number, regardless of the digits entered.

In the program, a researcher illustrated the attack at a cafeteria at the University of Cambridge: wearing a backpack with a laptop computer and a field-programmable gate array board, he inserted a fake card into a sales terminal while connected to real payment cards. In each case, the the sales terminal accepted the transactions, even though the researcher entered a pin of “0000” in each case. Although the attack does require knowledge and hardware, researchers describe the level of sophistication of the attack as low, and the relatively compact equipment is unlikely to be noticed by typical shop or sales staff. The attack doesn’t work at ATM machines, but does work for most other online or offline payment card transactions.

“We have tested this attack against cards issued by most major UK banks,” said researcher Dr. Steven Murdoch, in a statement. All have been found to be vulnerable.”

“We’ve shown that it’s easy to use a card without knowing the PIN—and the receipt will say the transaction was ‘verified by PIN’ even though it wasn’t, “said Professor Ross Anderson. “”This is not just a failure of bank technology. It’s a failure of bank regulation. The ombudsman supported the banks and the regulators have refused to do anything. They were just too eager to believe the banks.”

The researchers informed the banking industry about the attack about two months ago; the researchers plan to publish their findings at the IEEE Symposium on Security and Privacy this May in California. Over 700 million chip-and-pin cards are in use around the world, including in most European countries and parts of Canada. The cards are not used in the United States, although there has been some discussion of introducing them.

Cambridge man-in-the-middle payment card attack