Cambridge team hijacks chip and PIN

Researchers at Cambridge University have discovered a simple method of capturing data from chip and PIN payment cards.

Cambridge team hijacks chip and PIN

The team of Saar Drimer, Steven J Murdoch and Ross Anderson, found the vulnerability in two common PIN entry devices (PED), the small card reading terminal at shop checkouts. By inserting a simple data-tapping circuit into the PED, the researchers were able to read the unencrypted data that passed between the card and the reader.

They successfully demonstrated the exploit on a real terminal borrowed from a retailer.

“These PEDs failed to protect the communication path that carries the card data from the card to the PIN pad, and that carries the PIN from the PIN pad back to the card,” says Drimer. “A villain who taps this gets all the information he needs to make a fake card, and to use it.”

The stolen PIN and card data could be copied to magnetic strips on counterfeit cards, which could then by used in overseas ATMs or any other device that does not yet use chip technology.

Ingenico, which manufactures one of the PEDs identified by the researchers said that they risk had been exaggerated.

“Retailers and card users should rest assured that the devices, from various suppliers, identified by the Cambridge University scientists, remain among the most secure terminals on the market and have contributed to card fraud at UK retailers falling by up to 47% year-on-year,” the company claims in a statement.

The UK payments association APACS declined to comment until it had seen full details of the researchers findings, which for security reasons have not been made public.

And the researchers warned that the risk may not be confined to PEDs.

“The lessons we learned are not limited to banking,” says Anderson, who is professor of security engineering at Cambridge. “Other fields, from voting machines to electronic medical record systems, suffer from the same combination of stupid mistakes, sham evaluations and obstructive authorities.

“Where the public are forced to rely on the security of a system, we need honest security evaluations that are published and subjected to peer review.”

Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.

Todays Highlights
How to See Google Search History
how to download photos from google photos