'Chip and PIN' Busted!

It was literally the night before this article came out that my friends and I were discussing the effects of the transitions from mag stripe credit cards to the infamous and highly touted chip cards.

My friends (a bunch of brilliant code monkeys--commonly referred to as geeks... although one would rather think of himself as a rapping gangster...) touted the high degree of encryption and the exponentially greater amount of data able to be stored on the chip.

Impervious due to its new encryption?, questioned one.

But of course, nothing is forever secure, remarked the other. Eventually someone will break it. But how.... If the encryption was so strong?

Much like Houdini, or the spies of the Cold War, the answer was there in front of us the whole time.... We just couldn't see it.

That is, we were focusing on the strength of the encryption while someone else took advantage of a split-second transmission of data off the chip--whether or not to verify the transaction via PIN.

Check out the rest of the article to learn how Python was used to hack 'Chip and PIN'.

SECURITY THREATS TOOLKIT: Chip and PIN is broken, say researchers
ZDNet - February 11, 2010, 17:01 GMT
Chip-and-PIN readers can be tricked into accepting transactions without a valid personal identification number, opening the door to fraud, researchers have found.
Researchers at Cambridge University have found a fundamental flaw in the EMV -- Europay, MasterCard, Visa -- protocol that underlies chip-and-PIN validation for debit and credit cards.

As a consequence, a device can be created to modify and intercept communications between a card and a point-of-sale terminal, and fool the terminal into accepting that a PIN verification has succeeded.

"Chip and PIN is fundamentally broken," Professor Ross Anderson of Cambridge University told ZDNet UK. "Banks and merchants rely on the words 'Verified by PIN' on receipts, but they don't mean anything."

The researchers conducted an attack that succeeded in tricking a card reader into authenticating a transaction, even though no valid PIN was entered. In a later test, they managed to authenticate transactions, without the correct PIN, with valid cards from six different card issuers. Those issuers were Barclaycard, Co-operative Bank, Halifax, Bank of Scotland, HSBC and John Lewis.

Continue to the rest of the ZDNet article.