Researchers at Cambridge University are criticizing banks for failing to take action on a vulnerability affecting the popular "chip and pin" authentication method used by over a billion credit cards. The system is designed to offer increased security over alternatives like magnetic strips — which remain commonplace in the US — but inconsistent equipment has led to fraudsters compromising what's supposed to be an "unpredictable" number attached to each transaction. As it turns out, that number can become all too predictable when ringing purchases through vulnerable point-of-sale devices or ATMs, which sometimes include dates or timestamps in the figure.
Are banks taking the threat seriously?
That allows cunning thieves to quickly clone your personal chip in only minutes, a tactic known as a "pre-play attack." Should they decide to wreak havoc on a victim's savings account, resolving said incident with banks has often proven difficult. The team of researchers said financial regulators haven't done enough to ensure banks are following proper protocol. "Just like most vulnerabilities we find these days some in industry already knew about it but covered it up; we have indications the crooks know about this too," says a blog post on the subject. They cite numerous cases which costed fraud victims thousands of dollars — even when these people had never written down their PIN or done anything else to put their finances at risk.
"...there is absolutely no evidence of this complicated fraud being undertaken in the real world."
Banks hold firm in the belief that attacks against "chip and pin" are too complex to pose a serious threat, telling the BBC that such hacks require multiple steps that expose the perpetrators to getting caught. "We've never claimed that chip and pin is 100-percent secure and the industry has successfully adopted a multi-layered approach to detecting any newly-identified types of fraud," said the UK's Financial Fraud Action Group. Still, if nothing else, it makes for a good reason to skim over those bank statements on a regular basis.