Chip-and-Pin Vulnerable To Subtle Trickery

An anonymous reader writes "Cambridge University researchers, in an investigation for BBC Television's Watchdog programme, have demonstrated a man-in-the-middle attack for the chip-and-pin credit card security system used throughout the UK and Europe. In the attack, the card is inserted into a card-reader that has been tampered with, and the information transmitted in real-time to an accomplice who uses a specially modified card to make a higher-value purchase elsewhere. The modified card-reader shows only the expected amount, but the larger amount is deducted from the victim's bank account. It would not be easy to use this method in practice because the two transactions must be made simultaneously. The same team recently demonstrated a hacked chip-and-pin terminal playing Tetris."

attack easly detected

[Technician]

Someone with a close eye on their account will notice the missing money and pull up recent transactions online. Armed with reciepts and a printout of the impossible to make dual purchases with one card in two locations, the compromised machine can be shut down (de-authorised) and legal proceedings started. This attack has a name attached to the business using the terminal.

The attack is proof of concept, but it leaves too much of a trail.