Chip and PIN Credit Cards: More Secure, But Not Perfect

By on Oct 26, 2015

Not too long ago I discussed a big change coming to your credit and debit cards—the Chip and PIN system. Overall, the change is a good one: it gives consumers credit cards armed with small, hard-to-copy computer chips and an updated, far more secure method of payment.

But far more secure doesn’t mean it’s completely secure. In fact, one critical part of the Chip and PIN system—the ability to verify the Personal Identification Number (PIN)—was compromised before the system was even released in the United States.

Here’s what happened:

Back in 2010, a group of Cambridge University security researchers published a paper detailing a theoretical attack on credit and debit cards equipped with Chip and PIN technology. The attack was what we call a “Man-in-the-Middle” attack—in which an attacker intercepts a message between two parties and replaces it with their own.

What the researchers did was complicated. According to WIRED, the group took a Chip and PIN card, modified it with with a customizable chip, and hooked it up to a large board which was then connected to a laptop running attack software. Once the faux card was hooked into a terminal the attack software went into play. From there, the group could enter any PIN number they wished and have an approved transaction.

While the process proved to be quite complex, the Cambridge researchers warned the system could be miniaturized. A year later, a group of five French cybercriminals were arrested — and with them, 40 modified Chip and PIN cards were confiscated.

So, what happened?

Well, the group of five cybercriminals found an ingenious way of miniaturizing the Cambridge University attack down to a single card. The criminals simply soldered a FUNcard chip—a programmable mini chip for hobbyists—onto a stolen Chip and PIN card. When used, the FUNcard chip would intercept an authentication query, in which the terminal asks the card to verify an entered PIN number, and force the card to say “yes” regardless of what PIN was actually entered. The transaction would then proceed as normal.

The resulting case has created big waves. Banks, credit card issuers and terminal producers have learned from this attack and created countermeasures for card systems in Europe. Upgrades for card systems in the United States shouldn’t be too far behind.

Regardless, this case is a great reminder that even the most modern security innovations can be compromised and the lengths cybercriminals will go to bypass security measures.

So, you’re probably asking, how can you protect yourself from this? If your card ever is lost or stolen, there are a few things you can do:

Cancel your card. The first step to protecting your bank account in the event of a missing card is to cancel that card. While Chip and PIN systems are mostly secure, they do have weaknesses. Cancel your card to shut down any attempts to compromise your accounts.

Examine your bank statements closely. Keeping a close eye on your bank statements can reveal telltale signs of criminal activity. Small charges, for example, can be evidence of crooks seeking access to your bank account. If you see a suspicious charge, call your bank and investigate.

Check your credit score. Not all fraud happens on bank statements. Monitor your credit score to keep an eye out for identity theft. As a United States citizen, you’re entitled to three free credit reports a year. If you suspect someone else is using your identity, or if you simply want more control over your credit, implement a credit freeze.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and Like us on Facebook.

gary

About the Author

Gary Davis

Gary Davis was previously McAfee's Consumer Security Evangelist providing security education and advice to businesses and consumers. He is a sought-after speaker on trends in digital security, appearing at conferences and events, as well as security and consumer lifestyle broadcast outlets and publications such as ABC, NBC, FOX, the Wall Street Journal, USA Today, Money ...

Read more posts from Gary Davis

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to McAfee Securing Tomorrow Blogs