When HSBC customer Alex Gambin became a fraud victim on the Spanish island of Mallorca, the crime set off a series of events that have weakened confidence in the security of the much-touted European chip-and-PIN cash-card format.
Within an hour of being pickpocketed Gambin's credit card had been used for five ATM withdrawals despite the fact that the thieves had no way of knowing his personal identification number (PIN).
Gambin reached out to Mike Bond and the Computer Laboratory at the University of Cambridge to investigate. The researchers compared Gambin's case with similar ones and discovered a weak link in the chip-and-PIN system's authentication scheme.
Now chip and PIN technology, which had alleviated many of the security concerns associated with magnetic strip payments, is under renewed scrutiny itself, after a decade-long explosion that made it the most popular payment method in Asia and Europe. Over 1 billion chip and PIN cards are in use around the world. In France it has been credited with helping to reduce credit card crime by 80 percent.
Chip-and-PIN cash cards contain a computer chip with information that's read by an ATM or retail machine. The customer has to enter a PIN that matches the data on the chip to authenticate the transaction. Such cards are much more secure than the older magnetic-stripe cards.
The chip and PIN software stored inside point-of-sale machines and ATMs is supposed to create an unpredictable number (UN) to authenticate each transaction. But, as Bond explained, if the number can be predicted, criminals can "as good as clone the chip" in the card without actually cloning it.
For more than a decade, U.S. banks and credit-card issuers have resisted replacing American magnetic-stripe cards with chip-and-PIN cards, arguing that doing so would inconvenience customers
Bond and the other Cambridge researchers found that the UN-generating equipment in many popular machines isn't up to snuff. In some cases, the equipment creates the UNs by borrowing data from dates and timestamps, making the unpredictable numbers less unpredictable.
In what's called a "pre-play" attack, executed by infecting an ATM or point-of-sale machine with malware or some other method, criminals were able to predict these numbers, gain momentary access to Gambin's card's chip and "compute the authorization codes needed to draw cash from that ATM at some time in the future for which the value of the UN can be predicted," the report from the Cambridge Computer Laboratory said.
Cards with chips are still undoubtedly more secure than their magnetic counterparts, but they're not hack-proof. Banks have been downplaying that weakness, the Cambridge researchers warned.
For banks, the finding is a blow. Chip and PIN had ushered in an era of less bank fraud. A more secure way to pay meant fewer legitimate claims of fraud, and a decrease in reimbursements to customers who claimed to be fraud victims.
However, the chip and PIN system came under question in 2010, when researchers found that transactions could be executed without PINs.
In their paper, the Cambridge researchers asserted that, based on their conversations with bankers, "banks systematically suppress information about known vulnerabilities, with the result that fraud victims continue to be denied refunds."
Bond asserted that banks are aware of the problem but routinely “stonewall” customers-turned-victims because their transaction records show that the PIN was used.
A spokeswoman for Britain's Financial Fraud Action group told the BBC, "We've never claimed that chip and PIN is 100 percent secure."