Hundreds of millions of payment cards throughout Europe have a flaw that could allow criminals with a stolen card to enter any random PIN to complete a transaction, according to researchers from the University of Cambridge.
The Cambridge researchers have found a weakness in the complicated EMV protocol that allows for a man-in-the-middle attack. It essentially tricks the point-of-sale terminal into believing it has received a correct PIN no matter what digits are entered.
The card thinks that the transaction was authorized by a signature. In some instances, point-of-sale terminals may have trouble connecting back to a card's issuing bank but allow a transaction anyway if completed by a signature.
About 730 million chip-and-PIN cards are in use worldwide. Most European countries use the cards, and they are also being introduced in Canada and discussed in the U.S.