Cambridge researchers find vulnerabilities in Chip and PIN

Potential criminals could use credit and debit cards without knowing correct PIN numbers

by Duncan Evans

This article is 15 years old

Wednesday February 17 2010, 9:24pm

Researchers at the University of Cambridge’s Computer Laboratory have uncovered vulnerabilities in the chip and PIN system.

According to the research, it is possible to use credit and debit cards without knowing the correct number, by exploiting the way the remote reader contacts the main shop terminal.

"Chip and PIN is fundamentally broken," said Professor Ross Anderson, one of the four researchers. Criminals could utilise this vulnerability, and would need little technical expertise to do so.

The research shows that potential criminals could buy a pre-configured ‘kit’, which they could take into a shop, hidden, for example, in a backpack. The kit would send a signal to the main terminal telling it that the correct PIN had been entered.

Although there are no known instances of such an attack occurring, there is concern that the weaknesses in the system will be exploited before they are fixed. As soon as one criminal works out how to configure the duplicate reader correctly, this type of fraud could spread quickly and to devastating effect.

This is particularly worrying, because there would be no way for a bank to tell when such fraud has occurred. The researchers found that the receipt still says “verified by PIN”. As a result, victims may find it extremely difficult to reclaim their money.

The response from students at Cambridge was mixed. “I can’t believe this is true,” said Alexander Glasner, a third-year from Girton. “I have a lot of money saved from my internship and it makes me sick to think a criminal could go on a spending spree in Selfridges with it.”

“I’m not surprised,” said Ben Allum, a second year. “There are always problems with these things and I hope they sort it out before someone runs off with my card.”

The researchers have contacted banks with their results. Stephen Murdoch, another member of the team, said that upgrades to the system could be made to ensure that such an attack could not be made for most transactions in the UK. However, a solution to completely remove the vulnerability remains unclear.

Support Varsity

Varsity is the independent newspaper for the University of Cambridge, established in its current form in 1947. In order to maintain our editorial independence, our print newspaper and news website receives no funding from the University of Cambridge or its constituent Colleges.

We are therefore almost entirely reliant on advertising for funding and we expect to have a tough few months and years ahead.

In spite of this situation, we are going to look at inventive ways to look at serving our readership with digital content and of course in print too!

Therefore we are asking our readers, if they wish, to make a donation from as little as £1, to help with our running costs. Many thanks, we hope you can help!

Most read
Latest stories

Features / 3am in Cambridge
25 June 2025
Comment / Why shouldn’t we share our libraries with A-level students?
25 June 2025
News / Pro-Palestine protesters establish King’s Parade encampment after city-wide march
25 June 2025
News / University hosts open meeting about research and investments linked to defence companies
24 June 2025
News / Magdalene evicts pro-Palestine encampment
24 June 2025

News / Cambridge virologist and renowned podcaster faces redundancy
26 June 2025
Theatre / Twelfth Night almost achieves greatness
26 June 2025
Theatre / Inside Clare’s campy Midsummer Night’s Dream
26 June 2025
Fashion / I can see your underwear…
26 June 2025
Lifestyle / Made in Madrid: lights out, sun’s out
26 June 2025