Researchers from Cambridge University say they have found "numerous weaknesses" in the security of one-time-password generating card readers used for authentication in online banking.
Saar Drimer, Steven Murdoch, and Ross Anderson claim to have reverse engineered the secret Chip Authentication Progamme (CAP) protocol and found several security vulnerabilities in the UK variant of readers and smart cards.
The researchers published their paper, Optimised to Fail: Card readers for online banking, today at the Financial Cryptography 2009 conference.
The paper says the basic principle behind CAP - a trusted user interface and secure cryptographic microprocessor - is sound.
However design errors such as reusing authentication tokens, overloading data semantics, and failing to ensure fresh responses, are putting customers at risk.
In February, the researchers demonstrated that unencrypted card details can be stolen by "tapping" PIN entry devices (PEDs). They found flaws in the Ingenico i3300 and Dione Xtreme PEDs - both of which are certified by Apacs and Visa - that can enable fraudsters to access unencrypted PINs and account numbers.
The paper points out that, as with the move from signature to PIN for authorising point-of-sale transactions, the move to CAP for online banking shifts liability for losses from banks to customers.
Barclays, which along with NatWest was tested by the researchers, outlined plans last year to extend the use of Gemalto handheld chip and PIN devices after reporting zero fraud among the first million users.
Read the paper here