Cambridge University's Professor Ross Anderson said that the
programme, which allows shoppers to verify purchases at point of
sale by keying in a four-digit PIN, would make it easier for
fraudsters to copy the information on the cards.
"First, the banks are using the exercise to dump liability for
fraud on to merchants and customers," wrote Professor Anderson in
his blog. "This will undermine security by removing the incentives
for banks to maintain the system properly. Next, there are
technical security problems, both with the chip cards and with the
back-end systems that support them."
Professor Anderson was also concerned about the transition from
the use of a magnetic strip to a chip.
"The banks are training their customers to use PINs everywhere,
so rogue merchants can use false terminals to harvest PIN and
mag-strip data – cloned cards can then be used in ATMs overseas,"
he said. "This is a regulatory failure; the government must hold
banks liable for their system security failures."
Speaking to the BBC, Sandra Quinn, UK spokesperson for chip and
PIN, denied that this was likely to happen.
"We don't think they can use fake machines because the machines
themselves are engineered to read the chip so they must be reading
the chip very carefully," she said. "That makes the transaction
itself extremely secure."
According to the latest figures from chip and PIN, 85% of UK
retailers are now ready for the new system, with over 75% of
cardholders having at least one new chip and PIN debit or credit
card in their wallets.
