PIN devices vulnerable to 'tapping' attacks, researchers warn

PIN devices vulnerable to 'tapping' attacks, researchers warn

Chip and PIN security is under the spotlight again after researchers at Cambridge University demonstrated that unencrypted card details can be stolen by "tapping" PIN entry devices (PEDs).

Researchers Steven Murdoch, Saar Drimer and Ross Anderson claim to have found flaws in the Ingenico i3300 and Dione Xtreme PEDs - both of which are certified by Apacs and Visa - that can enable fraudsters to access unencrypted PINs and account numbers.

They say the "tapping" technique requires little technical know-how and fraudsters can easily attach to the PED a "tap" that records PIN and account details as they are transmitted between the card and the PIN pad. Criminals can then use this data to create counterfeit cards that can be used to withdraw cash at ATMs in countries where Chip and PIN hasn't yet been implemented.

The researchers say the UK banking industry has made it easier for fraudsters to steal data by issuing Chip and PIN cards that do not encrypt data exchanged between the card and the PED during a transaction.

"The vulnerabilities we found were caused by a series of design errors by the manufacturers. They can be exploited because Britain's banks set up the Chip and PIN in an insecure way, " says Drimmer. "These PEDs failed to protect the communication path that carries the card data from the card to the PIN pad, and that carries the PIN from the PIN pad back to the card. A villain who taps this gets all the information he needs to make a fake card, and to use it."

Despite the findings, the researchers say they have been told that the PEDs - which are used by major UK retailers including Asda, Boots and the Co-op - will not be removed from service.

The researchers demonstrated the tapping attack on the BBC's Newsnight programme.

In a statement given to the BBC, Apacs claims the demonstration does not show anything the industry is not already aware of and that the tapping attack in difficult to carry out and not "economically viable" for fraudsters.

Meanwhile eftpos manufacturer Ingenico told the BBC that the attack method requires specialist knowledge, is technically difficult and doesn't take into account the fraud monitoring used throughout the industry.

This is not the first time this team of Cambridge researchers has uncovered security flaws in the chip and PIN system. Last year they demonstrated how Chip and PIN terminals can be doctored to enable criminals to capture customer details in a so-called "relay attack".

The researchers showed how they were able to intercept cardholder data during a transaction at a book shop and relay it wirelessly to an accomplice.

The same group also hacked a tamper resistant Chip and PIN terminal to get it to play Tetris.

Comments: (0)