After years of preparation, chip and PIN credit cards are finally arriving in the United States. But while a chip and PIN might be much more secure than a signature, hackers have shown that it's not invulnerable, and now we know how they pulled it off

As Ars Technica reports, a number of chip and PIN cards were stolen in France back in 2011, and somehow, the fraudsters who took them were able to start using them in Belgium, despite the security enhancements that credit card companies are wont to hold up as unimpeachable. Security researchers expressed their doubts about the tech as early as 2010, but the incident in Belgium was the first (and so far only) instance of an actual exploit. 

Now, the researchers behind the investigation have published a paper that explains how the hack worked. At least as well as they can tell; the actual cards are still untouchable due to being evidence in a criminal proceeding. As Ars Technica explains

The fraudsters were able to perform a man-in-the-middle attack by programming a second hobbyist chip called a FUN card to accept any PIN entry, and soldering that chip onto the card's original chip. This increased the thickness of the chip from 0.4mm to 0.7mm, "making insertion into a PoS somewhat uneasy but perfectly feasible," the researchers write.

Essentially, that small extra chip would sit between the card's actual chip and the point of sale, and assure both sides that everything about the transaction was on the up-and-up, even though it wasn't.

The problem is solvable, the regulators behind the chip and PIN system say it's already been solved. But that a vulnerability was present at all is still troubling. The all-around weakness of signature based authentication meant that credit card companies had little choice but to eat the cost of plausible and frequent fraud. But if those same companies hold up chip and PIN as infallible, it could make claiming fraud much harder or virtually impossible. 

Yes, chip and PIN will hopefully make credit card fraud much rarer, but if credit card companies continue to treat it as fool-proof when it very well may not be, the next vulnerability could prove very expensive for the victims.  

Source: Ars Technica via Boing Boing