Feeds

Industry groups leap to Chip and PIN's defence

Despite research showing signs of terminal weakness

5 things you didn’t know about cloud backup

“Cambridge University computer scientists’ discovery of a way to carry out transactions without knowing a card's PIN has hit the headlines; however consumers should not lose faith in credit card security," Brunswick said. "Chip and PIN is by far and away the most secure way of protecting payment transactions currently available."

Brunswick acknowledged that the Cambridge's team research "could be an important input to future revisions of card security technologies”, while arguing that the bigger problem is slow adoption in some parts of the world of improved payment security technologies such as Chip and PIN.

“No security system can claim to be completely bulletproof - there is always a three-way trade off between cost, ease of use and security and the industry is constantly looking for improvements. Consequently, the aim of security systems is not to make security unbreakable but to make it unprofitable for criminals to attempt to break it. The benefits of Chip and PIN are proven. Once the UK adopted Chip and PIN in 2003, losses on UK high street transactions reduced by 55 per cent by 2008. However, not all countries have followed suit and the US, for example, still uses magnetic stripe cards with signature verification."

"Verification by signature remains an option even for EMV cards, and it is the availability of this weaker security that has been exploited by the attack highlighted by Cambridge University", he added.

Change up

Gareth Wokes, chairman of secure payment specialist The Logic Group, struck a more combative pose, describing the Cambridge research as "alarmist" and "missing the point".

The Logic Group handles transactions across more than 250,000 points of sale (PoS) in the UK, the type of payment the Cambridge researchers argue has been left in the firing line of man-in-the-middle attacks. Wokes is dismissive of such concerns, arguing that banks and the payment industry have invested millions to fight fraud.

“I find the tone of this dumbed-down research alarmist. Fraudsters are always pushing the barriers and trying to find new ways to navigate security measures; it is not a static situation. And just as the fraudsters continue to innovate so too does the payment industry, which invests vast sums of money in continuous improvements to card payment security", Wokes said.

Wokes took particular exception to "Professor Anderson’s claim that the banks will have to re-write the software around the entire chip and PIN system also misses the point – they are constantly improving card payment security and will continue to do so as long as card fraud exists," Wokes said. "To position this as an overall failure of chip and PIN is also misleading and counter-productive to the industry’s efforts against fraud.

"A year after Chip and PIN was introduced, card fraud dropped by 48 per cent. The issue is that fraudsters then moved on to e-commerce fraud (where chip and PIN is irrelevant), which is why fraud figures subsequently began to increase again. It’s a constant battle to close down loopholes and the rules of engagement change month to month and even day to day," Wokes said. He cited the PCI DSS payment card industry standard for merchants as an example of industry efforts to improve transaction security.

Steven Murdoch, one of the four Cambridge University researchers who carried out the study, told El Reg that probably the best way of fixing the flaw in the credit card transaction process his team has identified would involve changing bank back-end systems.

"To fix this particular vulnerability, there does need to be a software change. It may only have to be at the banks, but it is possible that the terminals and/or cards would need to be upgraded too. We suggested a number of potential fixes in our paper, but have not heard which ones the banks are actually going to do," Murdoch explained.

Hairball

The security researcher added that the security hole the Cambridge team has identified stems from the complex web of payment transaction and bank authorisation technologies that badly need untangling even before they are strengthened.

"The more general point we are making is that this flaw has existed for over ten years, and nobody has spotted it (unless criminals have done so, but kept it quiet). The main reason is that Chip & PIN is incredibly complicated, with thousands of pages of vague, ambiguous, and incomplete specifications," Murdoch explained.

The essential guide to IT transformation

Next page: Sign of the times

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?