Chip-and-PIN is broken


28 Responses to “Chip-and-PIN is broken”

  1. sic transit gloria C.F.A. says:

    Yep, and now the banks get to spend another fortune fixing this mess. I wonder if they asked any very old Germans whether committing to a flawed system was a good idea?

  2. Anonymous says:

    Not only is chip and pin broken but also CAP is useless. CAP which is used to secure online banking access is based on EMV chip and pin. A stolen card can be used to transfer money between accounts online without the need of the pin.

  3. LeFunk says:

    Fish and chips still stand solid.

  4. Marcel says:

    #1 dainel

    When you card is stolen, and you phone your bank to report it, they will automatically block all future transactions right? So this only works before you report it?

    They would block all transactions if there is a direct link between the terminal and the transaction processor, but there are still many retailers with an ‘off-line’ terminal.
    Now, the trick is, to not be greedy, because if you use the card for a large purchase, the retailer is required to ask for authentication by phone.
    But if you keep the amounts low enough, and you know which places to go to, you can, in principle, use that card untill the date expires.
    And this happens a lot.
    And the only thing transaction processors can do is write it off as a loss.

    • VICTOR JIMENEZ says:

      An Off-line terminal? I have never seen one of those, and sounds pretty unsecure, what if the account doesn’t have enough funds?
      In Spain, to stop credit card frauds created a law in witch you must show your ID with your credit or debit card at any purchase.

      • 3eff_jeff says:

        Do teller actually check your ID? Legally, in the US, they’re supposed to compare signatures–but less than 1-in-10 clerks actually glances at the back of my card. I know this because I write “CHECK PHOTO ID” next to the signature.

        A law that says the clerks must check photo ID doesn’t fix this problem. The banks need to be held responsible for their bad design. When they’re liable, it will be fixed.

  5. Anonymous says:

    Running a bank is a pretty good scam.

    You have money, so you get more money.

    You have other people’s money, so you get even more money.

    And, you get to lecture poor schlubs about how they need to be more responsible with their finances. Tsk tsk.

  6. McChud says:

    But what about Fish-and-Cushion?

  7. Anonymous says:

    I think Chip and PIN will soon be replaced with a technology like this:

  8. Sork says:

    I only use debit card. Offline transactions always require signature and ID card, online require chip+pin or in older terminals swipe+pin. And I can withdraw cash in any store during a purchase.

  9. entropyred says:

    This is great, I always forget my visa PIN!

  10. phisrow says:

    The cynic would note, of course, that the real purpose of this “security” system is to allocate liability. If the system is believed to be secure, the bank can argue that the customer must have negligently caused the compromise and refuse to eat the loss. The same phenomenon shows up occasionally in car security systems or the “verified by visa” system used for some online credit transactions in the US.

    Hopefully the authoritiative demonstration that the system is not, in fact, secure will derail this attempt until the next “secure” system is developed.

    • PaulR says:

      “real purpose of this “security” system is to allocate liability”

      There’s a paper discussing this very thing.. Lemme look for it… Ah, it’s also by Murdoch and Anderson:
      “Veri ed by Visa and MasterCard SecureCode: or, How Not to Design Authentication”

      It’s available online here:

      Sork: I avoid debit card use in stores: you’re responsible for any loss/fraud – not so for credit cards; notwithstanding these two papers.

      • Sork says:

        Depending on national laws you aren’t responsible for ANY loss if you are quick to report it and haven’t lost the card from your own bad actions.

        • AnthonyC says:

          Whether you’re responsible for fraudulent use or not, a credit card is likely to give you better results in practice. 1) Because no money is taken out of your account in the meantime when you’re trying to get fraudulent activity fixed (which can matter if you have other bills to pay), and 2) because the credit card company doesn’t get paid until you say so, while a bank gets its money immediately upon the debit purchase posting.

          • Sork says:

            A debit card has a limit, either by service or at least by your account balance, as opposed to a credit card which often has a limit much higher than your balance use to be. I keep only as much as I need for the moment on my account that my Visa is connected to, and the rest is transferred to another account used to pay my bills online, and get some interest. That is my personal safety line. So if someone tries to buy a computer with my card they will get “purchase denied” (they won’t ever see my balance), but with a credit card they would have bought it in my name and I’d have to fight the bill later. Every fraud is a hassle but I still think debit cards are safer, and they won’t put you in debt.

  11. RevEng says:

    Sometimes the easiest way to break a security system is to force it to fall back on less secure alternatives.

    The banks in my area started rolling out chip-and-PIN debit and credits cards within the last year. Since then, there have been several times when the terminal was unable to properly utilize the chip on my card — mainly because the contacts on the machine were worn out. When this happened, the retailer was able to do an old fashioned swipe-the-stripe transaction instead of using the chip. And many terminals still don’t support the chip at all.

    So, rather than having to reproduce a card with a working chip, you need to reproduce a card that appears to have a working chip, but doesn’t. When you try to use it, the chip fails, you put on a bit of a show, and the retailer will fall back on using the mag stripe. Chip avoided.

    For an unscrupulous retailer, the problem is even easier. All they have to do is claim their terminal can’t use the chip and use the stripe instead. They record the stripe and PIN the same way they always have, and they can produce the card (without a chip) as described above.

    If a security protocol involves an option, the attacker will always take the weakest option.

  12. Sork says:

    While on subject, and signed signature validation has been mentioned, I have to link the classic credit card prank (a.k.a. “How crazy would I have to make my signature before someone would actually notice?”) for those who are new to the internet.

    Part I.

    Part II.

    • kromelizard says:

      There isn’t really much of a prank there. From the retailer side of things all that’s needed to get paid for a card present transaction is to get either a physical or electronic imprint, an authorization for the amount of the transaction from the bank, and a signature. There is no particular requirement to VERIFY the signature at all, there just has to be one. If a retailer an present these three things for a transaction, they get paid, regardless of whether or not it’s fraudulent.

      That’s why nobody care if you sign your card, it’s only your security the lack of a signature threatens and the smart retailer doesn’t put itself in the position of unnecessarily policing their own customers. Forcing customers to sign their own cards for their own protection only threatens to alienate people with absolutely no benefit to the retailer.

      • Sork says:

        No you are wrong. Maybe the staff doesn’t care, but the store owner really does.

        “The liability for fraud lies on the merchant, not the credit card company. The merchant must pay the full cost of the fraud plus a chargeback fee (unless the merchant’s chargeback insurance covers it).”

        “The merchant loses the goods or services sold, the payment, the fees for processing the payment, any currency conversion commissions, and the amount of the chargeback penalty. For obvious reasons, many merchants take steps to avoid chargebacks—such as not accepting suspicious transactions.”

        • kromelizard says:

          I do this for a living. The liability only lies on the merchant for a card present transaction if they cannot produce the imprint, the signed receipt, and an authorization for the charge. When the retailer can present these three things the bank eats the cost of fraud. That wiki is pretty crap.

          • Sork says:

            Every source I’ve found tell the same thing as the wiki. Maybe this has something to do with national laws or local banks? Or if the card is present/absent (ecommerce)? Or rules that have changed recently?

          • kromelizard says:

            There are different authorization procedures for different kinds of transactions. Virtually all of those sources seem to deal with online businesses, which I have not been talking about since it’s not really relevant to that “prank”. Nobody produces a signature for an internet sale. What I am telling you is what I know: brick and mortar retail business. And in the brick and mortar world when we get a chargeback we present those three items I listed and then we get paid. So sign whatever the hell you want on the back of your card or on the signature slip, I’m not policing your money for you.

  13. Anonymous says:

    “…bit of an own goal.”

  14. gollux says:

    Add this to the strategically drilled hole and probe skimmer that allows you to jack the decrypted information straight out of the terminal.

  15. dainel says:

    When you card is stolen, and you phone your bank to report it, they will automatically block all future transactions right? So this only works before you report it?

    Anyway, you still cannot clone the actual chip. Right?

  16. AlisdairC says:

    phisrow has it absolutely right. Even at introduction it was pointed out that chip’n’pin wasn’t anywhere near foolproof, but the banks choose to assume it is, and so operate on a presumption (backed in the UK by our craven government) that the cardholder is liable.

  17. riazm says:

    So what are we meant to do about it?

Leave a Reply