Within minutes of my credit card being stolen by pickpockets, two large transactions were made by the thieves, apparently in a bar or cafe. My bank tells me that they were chip and pin transactions. I am sure to a high degree of certainty that my pin was not compromised:
- It was not written down
- It was not used for other purposes
- The card in question had not been used in months, and even then, in a different country (effectively ruling out shoulder-surfing)
Still, my bank insists that my pin was used, although there is no reasonable way the thieves could have come to know it. The bank’s people obviously place a high degree of trust in this technology.
Are there known exploits that could allow a chip and pin transaction to appear to have been made using the pin, without the criminals actually having it?