Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chip & PIN terminal playing Tetris

Posted by Hemos on from the the-joy-of-subversion dept.

Fearful Bank Customer writes "When British banks introduced the Chip-and-Pin smartcard-based debit and credit card system three years ago, they assured the public it was impervious to fraud. However, the EMV protocol it's based on requires customers to type their bank account pin number into store terminals in order to make any purchase. Security researchers at the University of Cambridge Computer Laboratory derided the system as insecure at the time, as it gave access to customer's bank account pin numbers to every store they bought from. Despite these objections, the system was deployed, so researchers Steven Murdoch and Saar Drimer recently modified a straight-off-e-bay chip-and-pin terminal to play Tetris, with a video on YouTube, demonstrating that devices are neither tamper-resistant nor tamper-evident, and that even students with a spare weekend can take control of them. The banks are claiming that this can be reproduced only "in the laboratory" but seem to have missed the point: if customers have to type their bank account pin into every device they see, then the bad guys can capture both critical card information *and* the pin number for the bank account, leaving customers even more vulnerable than they were under the old system."

8 of 228 comments (clear)

  1. to misquote Franklin... by PresidentEnder · · Score: 4, Funny

    Those who would exchange security for convinience deserve Tetris!

    --
    I used to carry a bottle of whiskey for snake bite. And two snakes. -Nefarious Wheel
  2. The team's next hack... by reverseengineer · · Score: 5, Funny

    ...will be a modification to Tetris to make that damn straight-line block appear more often.

    --
    "FDA staff reviewers expressed concern about the number of patients who were left out of the study because they died."
  3. Tetris on machine no evidence of tampering? by noidentity · · Score: 2, Funny
    researchers [...] recently modified a straight-off-e-bay chip-and-pin terminal to play Tetris, with a video on YouTube, demonstrating that devices are neither tamper-resistant nor tamper-evident [...]

    I think putting Tetris on the machine makes it pretty obvious that it has been tampered with.

  4. Re:PIN Number? by heinousjay · · Score: 3, Funny

    There's something about being pedantic that makes any joke you construct seem arrogant and quite the opposite of funny. Perhaps when you're filling the pedant role in the future, you can just stick to the job instead of trying to amuse at the same time.

    --
    Slashdot - where whining about luck is the new way to make the world you want.
  5. Missing the point... by __aaclcg7560 · · Score: 2, Funny

    Anyone tampering with one of these machines will be caught by one of Britain's numerous public security cameras, promptly arrested and beaten senseless before being throw into the drunk tank with an American dick named Sue. The banks are correct that tampering can only happen in an controlled environment.

  6. PIN Number? by Tau+Neutrino · · Score: 2, Funny

    Yeah, that's what I use at the ATM machine when I want to drive my SUV vehicle to the store and buy some DIMM modules. I'm working on a device to detect the HIV virus, but a I need a good TLA acronym to call it.

    --
    Lemmings are silly; dinosaurs are extinct.
  7. Re:Living in Britain... by breckinshire · · Score: 2, Funny
    Being an American living in Britian, Chip & PIN makes a lot of sense.
    It's true what they say. British food really IS terrible.
  8. Re:I wrote Tesco's system you should all listen to by Anonymous Coward · · Score: 1, Funny

    However, I'll agree, all this is pretty useless if someone can get inside the terminal and intercept the PIN at hardware level. Other than that and the looking-over-shoulder social security hole problem, EMV's pretty bullet proof.

    This seive is watertight... except for the holes that is...