Chip-PIN defense is 'broken,' say researchers
A flaw in the protocol underlying chip-and-PIN transactions allows an attacker to push through a purchase without a valid PIN.
Chip-and-PIN readers can be tricked into accepting transactions without a valid personal identification number, opening the door to fraud, researchers have found.
Researchers at Cambridge University have found a fundamental flaw (PDF) in the EMV--Europay, MasterCard, Visa--protocol that underlies chip-and-PIN validation for debit and credit cards.
As a consequence, a device can be created to modify and intercept communications between a card and a point-of-sale terminal, and fool the terminal into accepting that a PIN verification has succeeded.
Read more of "Chip and PIN is broken, say researchers at ZDNet UK.