Chip and Pin "Weakness" Exposed By Cambridge Researchers 133
another random user writes "A vulnerability in the widely used chip and pin payment system has been exposed by Cambridge University researchers. Cards were found to be open to a form of cloning, despite past assurances from banks that chip and pin could not be compromised. In a statement given to the BBC, a spokeswoman for the UK's Financial Fraud Action group said: 'We've never claimed that chip and pin is 100% secure and the industry has successfully adopted a multi-layered approach to detecting any newly-identified types of fraud.'"
The problem is shifting liability (Score:5, Interesting)
The problem with the claim Chip & Pin is more secure, is that the card processors (Visa, Mastercard) used it as a justification to shift liability from the Bank over to the Merchant.
With swiped transactions, when a customer disputes the transaction, the Merchant isn't automatically liable for the transation -- they only need to prove the customer actually made the purchase (e.g. producing the signed receipt). With Chip & Pin, the merchant is automatically assumed to be liable, according to the merchant agreement. There's very little a merchant can do to dispute the chargeback.
Re:Security by obscurity (Score:5, Interesting)
If it came out of the pockets of the credit card holders, it probably would've been fixed long ago. The problem is that the credit card companies have gamed it so that it comes out the pockets of the merchants. And no merchant can realistically refuse to accept credit cards if he's serious about running a business. The credit card companies have even managed to trick most card holders into thinking that they're doing the noble thing and paying for fraud, when in most cases it's the merchant who pays. After all, those high interest rates and annual fees have to be paying for something, not going straight into their pocket, right?
The analogy between labor and employers works here. Merchants need a union so they can negotiate on an even footing with the 3 credit card companies which control the vast majority of the electronic transaction market.
Re:Never trust security through obscurity (Score:1, Interesting)
> Can't do that with cash.
Are you serious. Scanning devices for bill's serial numbers are ubiquitous. The ATM knows who it gave the bills to, the cash register knows who it got the bills from and so on.
If you want to stay anonymous, pay everything with coins. Those are secure for now.
Re:Never trust security through obscurity (Score:4, Interesting)
I'll pay by cash if I have to, but I'd much rather pay by card, which means I always have the right amount to hand and I get nothing back but a receipt.