Chip-and-PIN payement System "broken"

For those of you not familiar with the concept, I will go over it quickly. The "Chip-and-Pin" or EMV(Europay, MasterCard, VISA) system is the usage of Smart Cards, which is basically a card with a tamper-resistant chip on it, for payments via Debit/Credit cards. That is the "chip" part, so now for the "PIN", which a 4-digit code, which you use to verify that you are indeed authorised to use this card. (Some people give thier card and PIN to family members, friends, etc., which is an entire discussion in itself.)

So this system is in wide use in the United Kingdom and has become a vital part of everyday life. So obvioulsy any sort of major security failure woulde be catastrophic. Professor Ross Anderson has published such an attack, or so he claims. Even Bruce Schneier thinking its a big thing

He uses what is known as a Man-In-The-Middle attack. The basic concept is that the attacker places himself between two parties who wish to communicate. He then intercepts all communications and distorts them to serve his purposes, what ever they may be.

I would advise you watch the video demonstration which was aired on BBC Two, with the accompanying article. Go on, watch it, I can wait.

So after having seen the video, I would like to tell you why this is not the end of the world:

1. You need someone else's card. Arguably it is easy to get one, but the point is that if somebody has stolen your card, there are far worse things they can do than buy a bottle of water. There are several ways to use a card, without knowing the PIN, over the phone for example. Physical possesion of the card would allow you to use it in several circumstance without knowing the PIN.
2. It only works in offline terminals. So you can't put it in an ATM or use it in any store where the transaction is verified online witht he bank. In that case, a cryptogram contain the PIN is sent to the bank which will then verify the PIN. You would well pressed to be able to fake that.
3. You need a specific setup of reader, as the one used in the demo. Ofcourse one could get better at hiding the wire and the actual "performance" of the attack, but no amount of practice would allow you to hand a card with a wire on it to a merchant and not raise suspicions.
4. The hardware and software is really non-trivial to construct. The script is in Python, which is a difficult language to master and all the harware is custom built. So really the kit is not absolutly accessible.
5. If the card has been cancelled, this attack will not work. So again, because the attacker needs to steal your card, they only have the time between stealing the card and you reporting it stolen and cancelling your card.

So the moral of the story is: If your card is stolen, the thief can spend your money. Oh, wait, isn't that EXACTLY WHAT WE ALREADY KNEW! So now they have a smarter way of doing it, but it still depends on the attacker physically having your card.

Agreed, that this is a technical flaw and indeed a security hole, at least from a theoretical point of view. Practically speaking, this can be done on any stolen card (doing it to your own card, while possible is pointless), but there are worse things you could do. As a consumer, if my card is stolen I perosnally don't care how my money was stolen, just that i get it back. So taking a slighty pragmatic view-point, I would say that this is an issue, but nothing to lose sleep over, that is unless you have already lost your Credit/Debit Card.