Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chip-and-Pin Vulnerable To Subtle Trickery

Posted by Zonk on from the i-feel-quite-safe dept.

An anonymous reader writes "Cambridge University researchers, in an investigation for BBC Television's Watchdog programme, have demonstrated a man-in-the-middle attack for the chip-and-pin credit card security system used throughout the UK and Europe. In the attack, the card is inserted into a card-reader that has been tampered with, and the information transmitted in real-time to an accomplice who uses a specially modified card to make a higher-value purchase elsewhere. The modified card-reader shows only the expected amount, but the larger amount is deducted from the victim's bank account. It would not be easy to use this method in practice because the two transactions must be made simultaneously. The same team recently demonstrated a hacked chip-and-pin terminal playing Tetris."

3 of 64 comments (clear)

  1. 'Watchdog' tonight by shrykk · · Score: 4, Insightful

    This is due to be on 'Watchdog' (a popular consumers'-rights show) in about 45 minutes.

    As I understand it, the point of this research is that the banks have been claiming that chip-and-pin terminals are completely tamper-proof. In fact, they may be tamper-proof from the banks' point of view (preventing fraudulent transactions by destroying encryption keys if the case is tampered with), they're not from the customers' point of view - a dodgy establishment or criminal employee could clone your card with a terminal that looks legit.

    So, ripping out the innards and putting a machine playing Tetris inside looks silly, but demonstrates that the devices aren't inherently trustworthy. And this is the next step: showing that a card can be cloned and the details used to make a fraudulent transaction using modified hardware.

    --
    #define struct union /* Reduce memory usage */
  2. Re:The Tetris hack was a fake by maubp · · Score: 4, Informative

    It was not the real hardware hacked to play tetris. It was different hardware in the same box.

    Sure, this shows that you can fool a user to think they're using a valid machine, but it does not get at the transaction.
    Have you read the article? There is a fake transaction at the victim's location which appears to be paying £20 for dinner. There is a real (but fraudulent) transaction at the jewelers at the same time for $2000 of diamonds.

    The victim's card goes in the "fake pin machine" which is linked via laptops to a "fake card" in a "real pin machine" at another shop (in this case, a jewelers).

    The laptop link makes it look like the victim's card is physically at the jewelers store, and takes care of all the validation. The victim is told the dinner price, and enters their PIN into the "fake PIN machine", which says "thank you" and prints a fake receipt. Meanwhile, the PIN number is then passed to the criminal at the jeweler to key into the real PIN machine and buy the diamonds.

    Tricky to pull off due to the timing - but a real treat all the same.
  3. Re:Ultimate Financial Security by sunwukong · · Score: 4, Funny

    "Lady, me and this gun here say that I'm going to pay cash for this and there's nothing you can do about it!"

    "I'm sorry, sir, but I can't hear what you're saying through the mattress you're wearing."

    Or did I misinterpret what you're suggesting?