Cambridge University researchers have published results of successful attempts to obtain personal identification number (PIN) and credit card details from chip and PIN terminals.
The Ingenico i3300 and Verifone's Dione Xtreme PIN entry devices (PEDs) used by the university's Computer Laboratory researchers use tamper-proof mechanisms to prevent hackers accessing the sensitive card and PIN data they read and transmit in authorising card payments.
But the paper published today, entitled Thinking inside the box: system-level failures of tamper proofing, said: "What should have required $25,000 needed just a bent paperclip, a needle, a short length of wire and some creative thinking; attaching them to the data line takes minutes with some practice."
By exploiting the user-access point built into the Ingenico device for changing SIM cards, researchers Saar Drimer and Steven Murdoch, overseen by Professor Ross Anderson, were able to tap the unencrypted data line of the interface between the PED and smartcard chip. And, although both have a tamper-proof switch, this was bypassed on the Dione Xtreme by drilling a small hole into a flat ribbon connector socket at the back of the device instead.
A paper clip was linked to the data line to act as conductor connected to a logic board with a field programmable gate array (FPGA) to translate and transmit the data to a laptop.
Visa has certified both devices as secure, under criteria including that it should take 10 hours to insert any bugs to steal PINs or cost over $25,000 (12,582). But the researchers said it proves the design and certification processes of such PEDs and other secure data entry devices like voting machines and electronic medical record systems are flawed.
Ingenico issued a statement on the research, refusing to attribute a spokesperson's name to it. "The method identified by the Cambridge University paper requires specialist knowledge and has inherent technical difficulties. This method is therefore not reproducible on a large scale, nor does it take into account the fraud monitoring used throughout the industry," said the vendor.
This was backed by Apacs, whose director of communications Sandra Quinn told IT PRO that, although the research proved the hack was technically feasible, it was not news to the UK payments association, nor did it represent any step in breaching the integrity of chip and PIN. "It is the magnetic stripe data that was being recorded and used to make fake cards along with PIN capture, generally through pinhole cameras," she said.
Cameron Olsen, vice president of business development for smart card software vendor, Smart Technology Solutions (STS) said the flaw lay not with the PEDs but the data standards used to store data on the magnetic strip on the cards themselves.
He said the big flaw with cards at the moment is the fact that they use legacy magnetic stripes. "This technology is exceptionally insecure and there needs to be a strong push to do away with this technology. The fraud cases highlighted by the research are more than likely to be magnetic-stripe fraud and the one chip fraud mentioned is almost 100 per cent likely to have been fraud on the magnetic-stripe where the chip was damaged (forcing it back to the magnetic-stripe) or the card has been used by someone unauthorised.
"That there is no evidence that says that chip technology has been cracked," added Olson. "Yes, the UK does use Static Data Authentication (SDA) cards however there will be a move towards Dynamic Data Authentication (DDA) at some point, which will provide more security. The UK banks are now paying some of the price for going with SDA rather than DDA cards when they were rolling out chip and PIN."
Both Olsen and Quinn also said all UK issued cards issued after 1 January 2008 include an updated integrated circuit card verification value (iCVV), which means that if one of these cards were compromised and a fake magnetic stripe card was created via a compromise of this type would be ineffective in cash machines and even non-chip and PIN using retailers.
Verifone had not responded to request for comments at the time of writing.
