Chip and Pin "Weakness" Exposed By Cambridge Researchers

another random user writes "A vulnerability in the widely used chip and pin payment system has been exposed by Cambridge University researchers. Cards were found to be open to a form of cloning, despite past assurances from banks that chip and pin could not be compromised. In a statement given to the BBC, a spokeswoman for the UK's Financial Fraud Action group said: 'We've never claimed that chip and pin is 100% secure and the industry has successfully adopted a multi-layered approach to detecting any newly-identified types of fraud.'"

The problem is shifting liability

[nemesisrocks]

The problem with the claim Chip & Pin is more secure, is that the card processors (Visa, Mastercard) used it as a justification to shift liability from the Bank over to the Merchant.

With swiped transactions, when a customer disputes the transaction, the Merchant isn't automatically liable for the transation -- they only need to prove the customer actually made the purchase (e.g. producing the signed receipt). With Chip & Pin, the merchant is automatically assumed to be liable, according to the merchant agreement. There's very little a merchant can do to dispute the chargeback.

Re:Security by obscurity

[Solandri]

And arrogant people, (and companies, and banks), who crow about how secure their systems are, are just asking for it. Serves the fuckers right; but it's too bad that credit card holders are paying the price for their creditors' arrogance.

If it came out of the pockets of the credit card holders, it probably would've been fixed long ago. The problem is that the credit card companies have gamed it so that it comes out the pockets of the merchants. And no merchant can realistically refuse to accept credit cards if he's serious about running a business. The credit card companies have even managed to trick most card holders into thinking that they're doing the noble thing and paying for fraud, when in most cases it's the merchant who pays. After all, those high interest rates and annual fees have to be paying for something, not going straight into their pocket, right?

The analogy between labor and employers works here. Merchants need a union so they can negotiate on an even footing with the 3 credit card companies which control the vast majority of the electronic transaction market.

Re:Never trust security through obscurity

[Anonymous Coward]

> Can't do that with cash.

Are you serious. Scanning devices for bill's serial numbers are ubiquitous. The ATM knows who it gave the bills to, the cash register knows who it got the bills from and so on.

If you want to stay anonymous, pay everything with coins. Those are secure for now.

Re:Never trust security through obscurity

[Mithent]

Cash works here, but I'd rather use a card if the store accepts one, because it's more convenient for me. Cash involves trips to the ATM, bulking out my wallet with coins, and hopefully having appropriate denominations for the purchase at hand (a £20 note seems a bit much for a 60p purchase, while a collection of 10p and 5p pieces is going to be annoying if it's £5). If it gets stolen, it's essentially guaranteed lost, which means I shouldn't carry a lot of it at once, whereas if my card gets stolen, I can hopefully cancel it before it's used by the thief, which Chip and PIN makes more difficult. There are also additional protections [moneysavingexpert.com] afforded for purchases on credit cards, and my credit card offers 1% cashback. Yes, it would be stupid to run up credit card debt, but that's easy to avoid by paying the full balance each month.

I'll pay by cash if I have to, but I'd much rather pay by card, which means I always have the right amount to hand and I get nothing back but a receipt.