"If you can predict it, you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location. You can as good as clone the chip... Just like most vulnerabilities we find these days, some in industry already knew about it but covered it up; we have indications the crooks know about this too, and we believe it explains a good portion of the unsolved phantom withdrawal cases reported to us, for which we had until recently no explanation," wrote University of Cambridge security researcher Mike Bond in a recent blog posting.
Indeed, despite the introduction of chip and pin – which was supposed to make card payments more secure – fraud has continued rising, increasing by nine per cent to £185m in the first half of the year.
The banking industry, though, has defended itself, claiming that the changes are justified due to the increasingly pervasive nature of mobile banking.
In a statement, Santander told Computing: "In line with other providers, we believe that by having security details unique to the accounts they hold with us, customers can help protect themselves further against fraud risks. Due to the increasing use of mobile banking and password memory software we are updating our terms and conditions and suggesting a number of additional measures our customers can take to help protect themselves.
"Unless a customer is involved in fraud, any instance of fraud is against the bank, not the customer, and so innocent victims will not lose out financially. We look at every fraud case on an individual basis. If a customer has been a victim of fraud and they have taken reasonable steps to protect their personal financial security then we will refund within 24 hours."
Santander has also recently been at the centre of claims regarding the security of its personal online banking accounts, published on the Full Disclosure list.
An online security researcher in October claimed that Santander had been storing users' credit card and other personally identifiable information in cookies on users' PCs – where they are stored in plain text, easily uncoverable by an attacker. "Santander online banking unnecessarily stores sensitive information within cookies. Depending on which areas of online banking the user visits this information may include the following: Full name, credit card number, bank account number and sort code, alias and user ID."