University of Cambridge discovers Chip and PIN verification “wedge” vulnerability

Students at the University of Cambridge have discovered a new flaw that is compromised by using a MITM attack that deceives a terminal in to thinking that a card’s PIN is correct irregardless of what number is provided for the PIN.

The attack uses an electronic device as a “man-in-the-middle” in order to prevent the PIN verification message from getting to the card, and to always respond that the PIN is correct. Thus, the terminal thinks that the PIN was entered correctly, and the card assumes that a signature was used to authenticate the transaction.

“We think this is one of the biggest flaws that we’ve uncovered – that has ever been uncovered – against payment systems, and I’ve been in this business for 25 years,” said Professor Ross Anderson from the school’s Computer Laboratory.

More details are available at the University of Cambridgde Computer Laboratory Security Group website.