A research team from Cambridge University has identified serious flaws in the Chip and Pin system, allowing fraudsters to use a stolen debit or credit card without knowing the Pin.
The stolen card is linked up to a device, which in turn is connected to a fake card, which the criminal slots into the shop’s card reader. The fraudsters’ trick exploits the crossover from transactions being authorised by the cardholder’s signature to the use of a 4-digit code. The card terminal is tricked into thinking that the correct Pin has been entered, while the card is tricked into thinking a signature has been provided.
Speaking on the BBC’s Newsnight programme, Professor Ross Anderson of Cambridge University said: ‘This is one of the biggest flaws that has ever been uncovered against payment systems. This is a flaw on a system that is used by hundreds of millions of people, by tens of thousands of banks, by millions of merchants.’
As a cross sample for the BBC2 programme, the team tested four random cards – two credit cards from HSBC and John Lewis and two debit cards from Barclays and the Co-operative Bank. All four cards were cracked using the system.
Note of caution sounded by industry
Gareth Wokes of secure payment company The Logic Group was sceptical about the new research: ‘I find the tone of this dumbed-down research alarmist. Fraudsters are always pushing the barriers and trying to find new ways to navigate security measures – it is not a static situation. And just as the fraudsters continue to innovate, so too does the payment industry, which invests vast sums of money in continuous improvements to card payment security.’
New Chip and Pin research must be investigated
Martyn Saville, Which? Principal Researcher, commented: ‘Chip and Pin has undoubtedly prevented a significant amount of card fraud since it was introduced in 2004. However, this new research is very worrying for consumers and must be investigated as a matter of urgency.
‘Our research shows around 14% of consumers feel they have lost out financially due to some form of card fraud. And we have received several complaints from consumers whose cases can’t be explained away by shoulder surfing at a cash machine or carelessly writing down their Pin.’
What is Chip and Pin?
Since 2004, most UK-issued debit and credit cards have contained an embedded microchip. To use the card in a shop or cash machine, you have to enter a 4-digit code, known as the Pin (Personal Identification Number). Chip and Pin has been obligatory for most UK cardholders since 14 February 2006.
For more information on avoiding card fraud, including our video with expert tips, read the free Which? guide to beating identity fraud.
Which? Money when you need it
You can follow @WhichMoney on Twitter to keep up-to-date with our Best Rates and Recommended Provider product and service reviews.
Sign up for the latest money news, best rates and recommended providers in your newsletter every Friday.
Or for money-saving tips, and news of how what’s going on in the world of finance affects you, join Melanie Dowding and James Daley for the Which? Money weekly money podcast
For daily consumer news, subscribe to the Which? news RSS feed here. And to find out how we work for you on money issues, visit our personal finance campaigns pages.