Research carried out by Saar Drimer, Steven J. Murdoch and Ross Anderson of the Computer Laboratory Security Group at the University of Cambridge, has shown how to compromise supposedly tamper-proof Chip and PIN terminals.
Without specialist equipment and with little technical knowledge fraudsters would be able to acquire all the necessary information to clone a user’s credit or debit card.
The full results of the team are published their academic paper. [via]
In Chip & PIN card transactions, customers insert their card and enter their PIN into a PIN Entry Device (PED). We have demonstrated that two popular PEDs, the Ingenico i3300 and Dione Xtreme, fail to adequately protect card details and PINs. Fraudsters, with basic technical skills, can record this information and create fake cards which may be used to withdraw cash from ATMs abroad, and even some in the UK. These failures are despite the terminals being certified secure under the Visa approval scheme, and in the case of the Ingenico, the Common Criteria system. Our results expose significant failings in the entire evaluation and certification process.
Newsnight coverage of the research.
