Security Flaw Discovered in Chip-and-PIN Cards
Just when consumers thought their credit cards would be more secure, new research from Newcastle University uncovered a security flaw in chip-and-PIN cards that could lead to a $1 million unauthorized transaction.
The issue comes from the contactless function in the credit card system used in the United Kingdom. The system will not recognize transactions made in currencies from other countries, so it can be tricked to approve any transaction up to $999,999.99 in value. Transactions made in other currencies do not require a PIN for approval. Find a retail outlet where foreign currencies are regularly used, and a thief could make countless fraudulent transactions.
The contactless system also allows criminals to pull data from the cards without actually swiping them.
“With just a mobile phone we created a POS terminal that could read a card through a wallet,” Martin Emms, lead researcher of the project, said in a statement. “All the checks are carried out on the card rather than the terminal so at the point of transaction, there is nothing to raise suspicions. By pre-setting the amount you want to transfer, you can bump your mobile against someone’s pocket or swipe your phone over a wallet left on a table and approve a transaction.”
The researchers presented their findings last week at the ACM Conference on Computer and Communications Security in Arizona.