It was literally the night before this article came out that my friends and I were discussing the effects of the transitions from mag stripe credit cards to the infamous and highly touted chip cards.

My friends (a bunch of brilliant code monkeys--commonly referred to as geeks... although one would rather think of himself as a rapping gangster...) touted the high degree of encryption and the exponentially greater amount of data able to be stored on the chip.

Impervious due to its new encryption?, questioned one.

But of course, nothing is forever secure, remarked the other. Eventually someone will break it. But how.... If the encryption was so strong?

Much like Houdini, or the spies of the Cold War, the answer was there in front of us the whole time.... We just couldn't see it.

That is, we were focusing on the strength of the encryption while someone else took advantage of a split-second transmission of data off the chip--whether or not to verify the transaction via PIN.

Check out the rest of the article to learn how Python was used to hack 'Chip and PIN'.

SECURITY THREATS TOOLKIT: Chip and PIN is broken, say researchers
ZDNet - February 11, 2010, 17:01 GMT
Chip-and-PIN readers can be tricked into accepting transactions without a valid personal identification number, opening the door to fraud, researchers have found.
Researchers at Cambridge University have found a fundamental flaw in the EMV -- Europay, MasterCard, Visa -- protocol that underlies chip-and-PIN validation for debit and credit cards.

As a consequence, a device can be created to modify and intercept communications between a card and a point-of-sale terminal, and fool the terminal into accepting that a PIN verification has succeeded.

"Chip and PIN is fundamentally broken," Professor Ross Anderson of Cambridge University told ZDNet UK. "Banks and merchants rely on the words 'Verified by PIN' on receipts, but they don't mean anything."

The researchers conducted an attack that succeeded in tricking a card reader into authenticating a transaction, even though no valid PIN was entered. In a later test, they managed to authenticate transactions, without the correct PIN, with valid cards from six different card issuers. Those issuers were Barclaycard, Co-operative Bank, Halifax, Bank of Scotland, HSBC and John Lewis.

Continue to the rest of the ZDNet article.

Well, here we are in 2010 and look at all the interesting things going on.

Of course, when it seems like so many things are happening at once, whether the headlines scream of natural disasters, fiscal policy changes or credit card reform, such chaos can make way for opportunistic fraud.

To stay on top of the trends and for split second Canadian and International FraudInfo, stay tuned to FraudBlog on twitter with daily tweets.

Happy Investigating!

To all you naysayers out there that hate the thought of being watched by security cameras (hey, they're not watching you.... they're watching the shoplifters!), check out the video below of someone on their way to the gym in Thornhill.

As Torontoist so delicately put it: "It is actually possible to drive guiltily. Somewhere between R, D, and N on that SUV's gearshift is a little notch marked: "OH SHI-."

This video is hilarious (no one was hurt) and draws attention to how useful CCTV footage can be in a criminal or fraud investigation.

Of course, we haven't yet mastered the CSI method depicted below. (read images L->R)

Props to Le Freak for the hilarious CSI link. You know my frustrations too well!