Printed from www.pcpro.co.uk
Cambridge team hijacks chip and PIN
Posted on 28 Feb 2008 at 12:01
Researchers at Cambridge University have discovered a simple method of capturing data from chip and PIN payment cards.
The team of Saar Drimer, Steven J Murdoch and Ross Anderson, found the vulnerability in two common PIN entry devices (PED), the small card reading terminal at shop checkouts. By inserting a simple data-tapping circuit into the PED, the researchers were able to read the unencrypted data that passed between the card and the reader.
They successfully demonstrated the exploit on a real terminal borrowed from a retailer.
"These PEDs failed to protect the communication path that carries the card data from the card to the PIN pad, and that carries the PIN from the PIN pad back to the card," says Drimer. "A villain who taps this gets all the information he needs to make a fake card, and to use it."
The stolen PIN and card data could be copied to magnetic strips on counterfeit cards, which could then by used in overseas ATMs or any other device that does not yet use chip technology.
Ingenico, which manufactures one of the PEDs identified by the researchers said that they risk had been exaggerated.
"Retailers and card users should rest assured that the devices, from various suppliers, identified by the Cambridge University scientists, remain among the most secure terminals on the market and have contributed to card fraud at UK retailers falling by up to 47% year-on-year," the company claims in a statement.
The UK payments association APACS declined to comment until it had seen full details of the researchers findings, which for security reasons have not been made public.
And the researchers warned that the risk may not be confined to PEDs.
"The lessons we learned are not limited to banking," says Anderson, who is professor of security engineering at Cambridge. "Other fields, from voting machines to electronic medical record systems, suffer from the same combination of stupid mistakes, sham evaluations and obstructive authorities.
"Where the public are forced to rely on the security of a system, we need honest security evaluations that are published and subjected to peer review."
Author: Simon Aughton
advertisement
- Motorola pays Lucas for its Droid
- Where are the killer apps for Windows?
- Will you hit the Orange iPhone "unlimited" cap?
- USB 3 first benchmark - it's here, and it's fast
- Why Windows 7 has forced me to worry about security
- How Dixons is (under)selling Windows 7
- Do I like Windows 7 because it's so like a Mac?
- No Windows 7 drivers turn Dell M1330 into a doorstop
- Is Windows 7 good looking enough to sway an Apple fan?
- Typekit brings print-like typography to the web
- The bulletproof Dell that costs an arm and a leg
- Microsoft Office 2010 Technical Preview: Q&A
- Lawnmowers, the TyTN II and one odd insurance request
- There'll never be a bulletproof OS
- How far can we trust apps?
- Five nice touches in Outlook 2010
- Building a better Google
- Beware HP's horrendous printer-driver glitch
- Microsoft debuts free Morro antivirus package
- Getting started with Search Server 2008 Express
advertisement
