Of Special Interest
14th September 2012
POS equipment can allow chip and pin security fraud
Researchers at the University of Cambridge have discovered a way that fraudulent transactions can be made with EMV card accounts. The banks admit this is theoretically possible but argue they have no proof it has ever happened. There are however a number of customers who have been forced to settle payments they insist they did not make and believe this fraud method must have been used.
The problem is not within the card but the POS devices used. Each transaction requires the POS device to generate a random transaction number which is used to make the transaction identification unique. The problem found is that many POS devices do not make these transaction numbers truly random. This can allow a fraudster to submit and have accepted a transaction. The fraudster may be able to do this remotely if the retailer hardware has been compromised by virus or trojan. It is reported that the under the original protocol idea the random transaction numbers would be generated by the bank. They say the banks chose to allow this number generation to be done by POS terminal because it was a cheaper solution.