Chip and PIN could increase violent theft

 

Gallery

Posted on 2 Mar 2009 at 12:00

Cambridge University's Computer Laboratory has claimed that card readers used for online banking are insecure and could lead to an increase in violent attacks. A research paper by the laboratory exposes weaknesses in the Chip Authentication Programme (CAP), which leaves consumers open to fraud and, more scarily, a higher risk of physical attack.

The threat of violence comes from the way that criminals can use the handheld CAP card readers that NatWest and Barclays provide with their online banking services. In normal use a user puts their bank card into the reader, types their PIN in and receives a one-time code that has to be entered into the online banking website. However, the screen displays a message when the wrong PIN is entered.

Armed with this information a mugger could march a victim to a secluded area, physically assault them to get their PIN, and verify it on the spot with a handheld reader. Being able to get verification in this way reduces the risk of the mugger being exposed to security cameras, such as those used around cash machines. This technique will only work with CAP-enabled bank cards, but lots of banks are beginning to issue them, even those that don't currently supply CAP readers.

"The two banks that have flooded the UK with CAP readers have thereby placed not only their own customers in harm's way, but have also endangered the customers of other banks who have enabled their debit cards for CAP," said the research paper. "It remains to be seen whether customers will be able to demand cards that are not CAP-enabled and thus do not put them at needless physical risk."

A further risk comes from the fact that the banks tell their customers to carry around their CAP readers. With repeated use, the keys used in entering the PIN become worn down. An intelligent thief could examine a victim's reader and work out which numbers make up the PIN and then start guessing by using the reader as verification.

"If the PIN has 4 distinct digits this leaves 24 different orderings, this increases the chance of an attacker guessing the correct PIN in three attempts from 1 in 3333 to 1 in 8," said the paper. "If a customer has multiple cards with the same PIN, the attacker has even better odds."

The paper also highlights several other flaws in CAP, including the ability for criminals to use modified readers to capture one-time codes and use these within a short period of time to perform fraudulent transactions.

Author: David Ludlow