Chip-and-Pin cards can be hacked
By Rene Millman,
Chip-and-Pin may not be as secure as banks and building societies would have us believe, according to new research by scientists at Cambridge University.
Saar Drimer and Stephen Murdoch, researchers at the University of Cambridge Computer Laboratory's Security Group, found that it was possible to tamper with a Chip-and-Pin terminal, found in most shops and businesses, and transmit the card's details to a criminal's accomplice in order to make a fraudulent purchase elsewhere.
As reported on IT PRO last month, the same researchers demonstrated that these terminals could be compromised by re-configuring a machine to play Tetris.
Chip-and-Pin was introduced last year and was touted as a safer way to make credit card transactions. But critics of the scheme have said that all the technology does is shift the responsibilities for the security of the card away from the banks and onto consumers.
The researchers outline a scenario where such an attack could take place.
"You go for lunch in a small restaurant in London, and pay using your Chip-and-Pin card at the end of the meal. What you don't know is that the waiter at the restaurant is corrupt," said the researchers on their website. "You ask for the bill, and the waiter goes off to fetch a handheld Chip-and-Pin machine that he brings over to you."
They said that elsewhere, in a jeweller's shop, an accomplice waits for a signal from the waiter.
"The waiter signals to his accomplice using his mobile phone, and the accomplice goes up to make the purchase. Just as you insert your card into the waiter's point-of-sale terminal, the accomplice puts a fake card into the jeweller's terminal," said Drimer and Murdoch.
They said the waiter's sabotaged reader forwards all the traffic from your card wirelessly to the card in the reader at the jewellers, and makes up anything it likes to display on its own screen.
"You enter the Pin, and as you do so, you think you are paying for lunch, but in fact, you're buying a diamond! The accomplice leaves with the diamond, and you don't realise until it's far too late!" they said.
But a spokeswoman from the UK payments association Apacs told the BBC this type of fraud would be difficult to commit as an in-store accomplice would need to work at the same time as their partner-in-crime in another shop.
"I think we should be more concerned about other types of fraud - there is no evidence that this is about to happen," said Sandra Quinn of Apacs. "It is on the list of potential threats."
You may also like...
Sponsored Links
advertisement
You may also like...
Latest Security Analysis & Insight
Do British police get cyber security?
Davey Winder listens to telephone conversations between the FBI and the Metropolitan Police, courtesy of Anonymous, and isn't impressed.
- Who to trust after the VeriSign hack?
- Striving to solve the security skills crisis
- Would you employ a hacker or malware writer?
- Q&A: Raj Samani, CTO McAfee
- Erase and rewind: the EU and privacy
- My email address is [CENSORED]
- Is there such a thing as a secure tablet?
- 2011: The year in news
- BYOD: Old or new, good or bad?
Latest Security Reviews
Check Point 2210 Appliance review
Rating: 
advertisement
Most popular
- Ubuntu vs. Windows 7 on the business desktop
- York researchers heat storage to speed up data
- BlackBerry Bold 9790 review
- OneNote hits Google?s Android
- O2 trials Olympic-scale remote working
- Will someone rid me of these troublesome Macs?
- Lenovo beats expectations again
- Who to trust after the VeriSign hack?
- Google to promise fairness after Motorola buy
- Report: Google cloud storage coming soon
Latest News Videos in Security
IT PRO Podcast: Are UK data protection laws flawed?
PlayWe bring in two experts to talk about the problems with UK data protection law and the way it is managed.
Register for IT PRO
You'll get exclusive member benefits including free whitepapers, downloads, Webinars and weekly newsletters full of the latest IT PRO news, reviews, insight and expertise.
