BBC TwoNewsnight
Last Updated: Tuesday, 26 February 2008, 17:42 GMT
How secure is Chip and PIN?

Susan Watts, Science Correspondent
By Susan Watts
BBC Newsnight, science editor

It's a nostalgic smell. Solder. Back in a sniff to the 10-year-old me - watching my dad "mend things".

Chip and Pin
The Cambridge team claim they found weaknesses in the system

This time, I'm staring at a couple of desks strewn with the machines familiar to shoppers everywhere. But these Chip and PIN machines are different, they've been prised open to reveal their insides.

Some have wires and oscilloscopes attached. It's electronic open heart surgery.

Almost as soon as Steven Murdoch and Saar Drimer start talking, the image in my mind's eye, is of a similar room, perhaps a bit better equipped.

Similar figures hunched over similar desks. Not these two Cambridge researchers though, but the bad guys. They're just as bright, similarly educated, about the same age - but on the other side.

We have seen no evidence from the Cambridge academic paper of anything we did not know
Visa statement

They're all trying to do the same thing - find the weak spots in the systems we use to carry out our financial lives, ever more hi-tech - ever more online.

The Cambridge team's approach is academic, and they don't have so much money to tackle each problem. But they know the other guys do.

They've seen photographs of desks just like theirs - in court - where they act as expert witnesses in a legal system struggling to keep up with ever more inventive forms of plastic card fraud.

They've seen at first hand that once the bad guys have decided to lie, they have so much more power to bribe their way to the equipment - the spare dummy and live terminals they need - to work out how to beat the system. Steven and Saar have to be smarter to find the weak spots, yet stay inside the law.

The Cambridge team is not best mates with the banking industry. In the UK, the people that run the banks don't much like to admit that their systems are anything but infallible.

Jane Badger
Jane Badger faced charges after disputing withdrawals

Chip and PIN was supposed to help protect us all from card fraud. But Steven and Saar have found a number of ways that the criminally-minded could crack it - and extract your account number and PIN and all the details needed to create a cloned card.

Take that card abroad to countries where cash machines read only the magnetic strip on a card, key in the PIN - and criminals can have a field day getting cash out of your account. And that's a pattern in recent card fraud cases.

Transactions have been taking place on cards in countries as far flung as Canada, Australia, Malaysia, the Philippines and India.

We at Newsnight hooked up with the Cambridge duo as they honed their latest "attack" on a PIN terminal, their most simple to date. This was on a machine popular with UK retailers - the Ingenico i3300. But it was only theoretical.

We provided the Cambridge duo with a real merchants' terminal to see if it would work away from the lab bench - and it did. The pair was able to read off the account number and the PIN from a real credit card as it communicated with the Chip and PIN machine in a trial transaction.

Nightmare for customers

So what about the people who've had phantom cash withdrawals on their accounts, only to be told by their banks that they must have left their PINs lying around somewhere or given them to someone. Or worse - been part of the fraud themselves.

We spoke to Jane Badger, who earlier this month was acquitted by a judge who saw it her way and not her bank's.

She'd spotted cash withdrawals on her Egg credit card account she didn't recognise, and disputed them. She was accused of lying and found herself facing charges. Her life changed - she was suspended from her police force job and spent close to a year fighting her case.

She asked Professor Ross Anderson who heads up the Cambridge team, to be her expert witness. The case collapsed and Egg now says it was the police, not them, who decided to pursue her case and that she failed to send them vital paper work.

The importance of the Cambridge team's work is that if the machines are not totally secure, then perhaps more customers with experiences like that of Jane Badger are telling the truth.

The banks need to take responsibility
Professor Ross Anderson

At the very least, the onus is shifted to the banks to come up with the evidence to show that these people are lying, and it's not their own Chip and PIN systems that are at fault.

Professor Ross Anderson told us: "The attacks that we've shown have demonstrated that it's easy to get the PIN as well as the card data out of chip and PIN terminal - and this means that simply holding your hand over the terminal is no good, in other words the customer cannot defend himself or herself no matter how astute and careful they are - therefore surely the banks need to take responsibility."

So whose job is it to make sure that Chip and PIN is tougher to crack?

The Ingenico terminal that the Cambridge team tapped appears to be approved by both the Visa certification scheme and under the so-called Common Criteria scheme maintained, bizarrely, by part of GCHQ (Government Communication Headquarters).

The Cambridge team contacted Visa last November, and were available this week to clarify any questions they had. But Visa told us they could not comment further without seeing footage of the attack.

'Liability engineering'

In a statement Visa said: "We have seen no evidence from the Cambridge academic paper of anything we did not know or anything that presents a real-world threat to card security."

Ingenico told Newsnight: "The method identified by the Cambridge University paper requires specialist knowledge and has inherent technical difficulties. This method is therefore not reproducible on a large scale, nor does it take into account the fraud monitoring used throughout the industry."

GCHQ said the terminal isn't one of theirs. Yet for some reason the banking industry body, APACS, claims on its website that along with many other similar terminals, it is evaluated under Common Criteria, giving the impression that it has passed muster. Seems to be some dancing on pinheads here.

But perhaps our whole approach needs a shake-up. In America, customers are better protected. Here, consumers are more exposed than when we used to pay for things with our signature, or so Ross Anderson believes.

He calls it "liability engineering" - as soon as you accept paying with a PIN - or an online password - you take on the responsibility to keep those safe…

He helps out a lot of people who are having trouble persuading their banks or building societies that the withdrawals on their accounts were "phantoms".

More and more cases are going to the courts instead of ending up with the financial ombudsman - who in the past has tended to side with the banks, according to Professor Anderson.

His most recent case is likely to turn on whether the banks are prepared to produce crucial evidence which they have been reluctant to do in the past. All that solder may have brought us to a turning point.

Watch the report on Tuesday at 10.30pm on Newsnight or anytime on the Newsnight website.

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit

banner watch listen bbc sport Americas Africa Europe Middle East South Asia Asia Pacific