Those in positions of power shirking responsibility and lying?
"All the banks are lying. They are maliciously and wilfully deceiving the customer [...] The system is not fit for purpose." I'm so surprised that I've apparently transcended a serious remark and instead am being sarcastic. Incidentally, only part of that sentence was sarcastic.
I had no idea that the PIN was in the chip. Talk about broken security. That should always have been verified on the bank's servers and nowhere else.
Going back as far as 40 years ago, the Banks and Insurance companies have always been considered the dregs of high-technology. Sure they have massive computer systems, but they have consistently dragged their feet toward any reasonable security systems, not to mention modern accounting systems.
One can only assume that they intend to maximize profit against the cost of implementing proper systems -- even though, ironically, here in the States, banks very often forgive the charges to customers who dispute them. That must cost a huge amount of money, but they seem to prefer to avoid embarrassment in the press than to actually fix their broken systems.
They still wear the black arm-bands and green visors of their fore-figures... The story points out just how absurdly simplistic their technological thinking is. Amazing! but hardly surprising.
Merchants are advised that they should ensure the cardholder removes their hand from the card during a Chip and PIN transaction, and that there are no wires connecting the card to the cardholder.
This simple defence renders Professor Anderson's somewhat convoluted "Backpack Computer" attack ineffective.
To date, no mechanism can be demonstrated -- in the laboratory or in the field -- whereby the PIN can be obtained from the cryptogrphically protected area of the chip in which it is held.
Therefore the assertion that the technology is not fit for purpose is invalid.
There is an easier way to obtain someone's PIN -- look over their shoulder. So unless the entire concept of entering a "secret number" is deemed invalid, the technology should not be attacked.