A major flaw in the Chip and PIN security system that is used to protect card payments has been identified by scientists. Researchers from Cambridge University have revealed that it is possible to trick the system into authorizing the payment even without the correct Pin code being entered.

Published in a paper written by Steven J. Murdoch, Saar Drimer, Ross Anderson and Mike Bond. "The fraudster performs a man-in-the-middle attack to trick the terminal into believing the Pin is verified correctly, while telling the issuing bank that no Pin was entered at all".

This implies that stolen cards can be used in shop terminals and bank cash machines without being identified, it is claimed.

The use of signatures to authorize purchases was replaced universally on Valentine's Day 2006 by the chip and PIN system. It was stated by the banks that the introduction of the PIN system would reduce card fraud because even if a card was stolen it could not be used by a thief who did not know the number, therefore eliminating any possibility of a loophole.

However, the UK Cards Association denied the discovery was serious. “We believe that this complicated method will never present a real threat to our customers’ cards”, said a statement issued by the banks trade body.