21 October 2017
Steven Murdoch

Steven Murdoch

Steven Murdoch - University College London

9Posts 59,896Views 35Comments
Information Security

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

Reliability of Chip and PIN evidence in banking disputes

26 February 2010  |  6155 views  |  0

It has now been two weeks since we published our paper “Chip and PIN is broken”. Here, we presented the no-PIN attack, which allows criminals to use a stolen Chip and PIN card, without having to know its PIN. The paper has triggered a considerable amount of discussion, on Light Blue Touchpaper, Finextra, and elsewhere.

One of the topics which has come up is the effect of the no-PIN vulnerability on the consideration of evidence in disputed card transactions. Importantly, we showed that a merchant till-receipt which shows “PIN verified” cannot be relied upon, because this message will appear should the attack we presented be executed, even though the wrong PIN was entered.

On this point, the spokesperson for the banking trade body, the UK Cards Association (formerly known as APACS) stated:

“Finally the issuer would not review a suspected fraud involving a PIN and make a decision based on the customer’s paper receipt stating that the transaction was “PIN verified”, as suggested by Cambridge.”

Unfortunately card issuers do precisely this, as shown in a recent dispute over £9,500 worth of point-of-sale transactions, between American Express and a customer. In their letter to the Financial Ombudsman Service, American Express presented the till receipt as the sole evidence that the PIN was correctly entered:

“We also requested at the time of this claim, supporting documents from [the merchant] and were provided a copy of the till receipts confirming these charges were verified with the PIN.”

The issue of evidence in disputed transaction cases is complex, and wider than questions raised by just the no-PIN attack. To help bring some clarity, I wrote an article, “Reliability of Chip & PIN evidence in banking disputes”, for the 2009 issue of the Digital Evidence and Electronic Signature Law Review, a law journal.

Read more at Light Blue Touchpaper...

TagsSecurityRisk & regulation

Comments: (0)

Comment on this story (membership required)

Latest posts from Steven

Chip and Skim: cloning EMV cards with the pre-play attack

11 September 2012  |  8211 views  |  3 comments | recomends Recommends 1 TagsSecurityPaymentsGroupInformation Security

UK Cards Association attempt to supress Cambridge research

25 December 2010  |  8080 views  |  4 comments | recomends Recommends 1 TagsCardsSecurityGroupInformation Security

Reliability of Chip and PIN evidence in banking disputes

26 February 2010  |  6155 views  |  0 comments | recomends Recommends 0 TagsSecurityRisk & regulationGroupInformation Security

Chip and PIN is broken

12 February 2010  |  10564 views  |  13 comments | recomends Recommends 0 TagsCardsSecurityGroupInformation Security

Verified by Visa and MasterCard SecureCode

27 January 2010  |  8845 views  |  3 comments | recomends Recommends 1 TagsSecurityPaymentsGroupInformation Security

Steven's profile

job title Royal Society University Research Fellow
location London
member since 2009
Summary profile See full profile »
Dr Steven J. Murdoch is a Royal Society University Research Fellow in the Information Security Research Group of University College London, working on developing metrics for security and privacy.

Steven's expertise

Member since 2009
9 posts35 comments
What Steven reads
Steven's blog archive
2012 (1)2010 (5)2009 (3)

Who's commenting on Steven's posts