DMGChip and PIN Cracked
Security researchers Steven Murdoch, Saar Drimer, Mike Bond, and Ross Anderson have developed an attack on Chip and PIN systems used to authenticate debit card transactions. It lets the attackers make purchases and withdraw cash without entering a PIN.
This attack is both academically and practically significant. We get reports weekly from different victims of phantom withdrawals, and these include large numbers of stolen cards used to make purchases in the window between theft and the cancellation of the card. Currently these victims are denied refunds by their banks, but this attack could explain some of the frauds we are seeing. The fact the receipt says "PIN Verified" when actually it wasn't raises a whole load of legal and evidential questions which call into question the banking industry's claim that their systems work (and log) properly. Merchants will be none too pleased either; the system no longer protects their interests but only those of the issuing bank.
When I hear this, it resonates deeply. The bank's records and security measures do you protect you; they protect the bank.
I'd love to hear about security measures that customers can use to protect ourselves from banks.
At first blush, the answer is to keep a checking account at one bank with very little cash in it, and all other assets at a completely separate bank. Kind of a headache, but might be necessary...