Researchers Expose New Credit Card Fraud Risk

An anonymous reader writes "Researchers from the University of Cambridge have discovered flaws in the card payment systems used by millions of customers worldwide. Ross Anderson, Saar Drimer, and Steven Murdoch demonstrated how a simple paper clip can be used to capture account numbers and PINs from so-called 'tamper-proof' equipment. In their paper (PDF), they warn how with a little technical skill and off-the-shelf electronics, fraudsters could empty customers' accounts. British television featured a demonstration of the attack on BBC Newsnight."

This is a UK/Europe card system issue...

What people are missing in this is that this pertains to certain card types mainly used in Europe. The type with RFID or embedded chips used for security. On standard US debit cards, there is no information sent to the card or from the card that ties to the PIN. The PIN is only seen by the pinpad component and immediately encrypted using a rotating DKPUT key algorithm before that, the card number and a sequence number are sent to be translated by a hardware security module. The pin pads themselves used by most US retailers are secure and do not pose a risk. If you tamper with most of those devices (example, the Welch Allyns used by best buy, lowe's and others) then the injected keys are erased and PIN translation fails. They normally don't remain out too long if they are tampered with since the stores will consider them broken and unusable when they don't work anymore. This is related to the system in place and used in the UK. The US system, while old, is only being updated currently to support the new double length key requirements and have not incorporated smart card support or RFID (except a few gas station chains). The most important thing in the US is to protect the card database since the data on the mag stripe can be used as a credit card. As for PIN security, don't tell others your pin, notice hidden cameras that look out of place and point at PIN pads and you should be safe. The way PIN numbers are stored at banks within a hardware security module is safe and those devices are very sensative to outside attack. They even employ motion sensors to prevent tampering in HSMs.