The UK went to chip and PIN based bank cards a while back, and since the switch banks have been using the chips and PINs in the cards as a means to turn down people filing fraud complaints. The banks have claimed that the cards could not be duplicated or compromised in a way that would induce fraud. Recently that claim has been proven false, with one group claiming only “Martians” could avoid problems with fraud in the cards.

The group from Cambridge University did a presentation in Germany recently that showed the claims that the cards were completely safe from duplication or hacking were completely untrue. In fact, the group demonstrated that the cards do not need to be duplicated to be compromised, a fact that has banks hackles up after months of publicity surrounding the cards and denying customer claims of fraudulent charge compensation for so long.

“The banks have made grand claims of security [about chip and PIN]. It was said to be a safer way to pay but when you speak to the banks as a victim of fraud, they say there is no way to clone the chip and PIN card,” said Murdoch.

“What I’m going to show is that you don’t need to clone it in order to attack the system,” he said.

The cards were slated to hit Australia in the next year, and the Cambridge findings may have thrown a wrench in the works of the roll out. So how are the cards vulnerable? Through compromised terminals. By performing a standard hacker relay attack, the folks from Cambridge were able to grab the information they needed from the card during a transaction to perpetrate fraud against the customer.

“Because the card knows a secret, I have no way of cloning that. But I can ask questions just like a terminal can ask [the card] questions. When I get the answer, I simply pass it on. I get an answer from a real card and pass it to a real terminal,” Murdoch explained.

Banks are trying to downplay the news by pointing out that the attack would require two people: one to start the hack relay and one to tamper with the terminal itself. I’m not sure why banks think a crook wouldn’t be able to find a partner to do this, but they seem to be in denial over how easy it would be to set up this two man fraud system. Regardless, users of these cards should exercise just as much caution as they did before the cards came out, and keep one eye on the news for developments.

Related: