21 September 2017
visit www.avoka.com

Researchers warn of Chip and PIN relay threat

06 February 2007  |  19312 views  |  0 PED cradle

Researchers at Cambridge University are warning that fraudsters could steal Chip and PIN details while customers make purchases in stores.

Security researchers Saar Drimer and Steven Murdoch, at the Computer Laboratory, University of Cambridge, have demonstrated for the BBC's Watchdog programme how Chip and PIN terminals can be doctored to enable criminals to capture customer details in a so-called "relay attack".

For the programme, the researchers showed how they were able to intercept cardholder data during a transaction at a book shop and relay it wirelessly to an accomplice.

The attack relies on the removal and subsititution of a genuine Chip and PIN terminal with a doctored device - bought off eBay in this instance - which is presented to the unwitting customer. The fake terminal captures the details from the genuine card and this is relayed to a blank card inserted into the merchant's real terminal off-site. The PIN is also recorded by the fake terminal.

Because the payment is accepted everything seems normal to the customer. The cloned card can then be used to make further fraudulent purchases.

In a statement, the Cambridge team says: "Banks have previously claimed that if a fraudulent Chip and PIN transaction was placed, then the customer must have been negligent in protecting their card and PIN, and so must be liable. This work shows that despite customers taking all due care in using their card, they can still be the victim of fraud."

Drimer and Murdoch say this type of attack has been thought to be too difficult and expensive to implement, but they have shown that it can be accomplished for less than £250.

Says Murdoch: "We have successfully demonstrated our attack between two shops on the same street over a wireless connection, but our measurements indicate that it would work equally well, via mobile phone, to the other side of the world."

The researchers say it is unlikely that criminals are currently using this technique, as there are less sophisticated attacks which Chip & PIN remains vulnerable to, but as security is improved the relay attack may become a "significant source of fraud".

Sandra Quinn, spokesperson for the UK payments association Apacs, told the BBC that this type of fraud would be difficult because it would need an in-store accomplice and an external accomplice to work at the same time.

Quinn stold reporters there is "no evidence that this is about to happen".

Earlier this month Drimer and Murdoch managed to hack a so-called tamper resistant Chip and PIN terminal and got it to play a version of Tetris.

Comments: (0)

Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Game over for Chip and PIN?

Game over for Chip and PIN?

05 January 2007  |  16143 views  |  0 comments
UK bank branches target for Chip and PIN verification

UK bank branches target for Chip and PIN verification

29 August 2006  |  7878 views  |  0 comments
Chip and PIN boasts 31% drop in counterfeit card fraud

Chip and PIN boasts 31% drop in counterfeit card fraud

10 October 2005  |  9168 views  |  0 comments

Related blogs

Create a blog about this story (membership required)
visit www.capgemini.comvisit www.temenos.comvisit www.sibos.com

Who is commenting?

Top topics

Most viewed Most shared
HSBC switches on selfie payments in ChinaHSBC switches on selfie payments in China
11568 views comments | 24 tweets | 41 linkedin
Equifax hack: Visa and Mastercard flag 200k compromised credit cardsEquifax hack: Visa and Mastercard flag 200...
10595 views comments | 6 tweets | 17 linkedin
Dutch bank sentences teenage DDoS culprit to community serviceDutch bank sentences teenage DDoS culprit...
9318 views comments | 6 tweets | 3 linkedin
UAE banks pool cyber security dataUAE banks pool cyber security data
7867 views comments | 5 tweets | 4 linkedin
Apple P2P payments service nears launchApple P2P payments service nears launch
7719 views comments | 18 tweets | 26 linkedin

Featured job

New York, NY - USA (some flexibility on location)

Find your next job