Feeds

Chip and PIN keypads 'easily fooled' with counterfeit cards

Blighty researchers head to Vegas to show 'em how

The Essential Guide to IT Transformation

Black Hat 2012 Retail Chip and PIN devices might easily be attacked using a specially prepared chip-based credit card, according to security researchers.

Researchers from British IT security company MWR InfoSecurity demonstrated the attack at a session during the Black Hat Security Conference in Las Vegas on Wednesday. MWR purchased the smartcards used in its demo for £40.

The researchers showed how a specially prepared chip-based credit card might be used to pay for an item. The PIN Pad device produces a receipt that appears to authorise the payment that is never actually processed, thereby exposing merchants to fraud.

In a second demonstrated attack scenario, researchers showed how a specially prepared card containing malware can be used to infect a PIN entry device, installing code capable of harvesting card numbers and PINs from cards subsequently used on the compromised terminal. The attacker might be able to return later with another malicious card in order to collect harvested numbers and PINs before cleaning off the malware.

Cloned cards might subsequently be produced with counterfeit magnetic stripes. These cards might be used to withdraws funds from ATMs in countries where Chip and PIN is yet to be introduced.

MWR InfoSecurity has also identified examples of network and interface attacks, similar to those reported by German researchers SR labs on other devices recently. The Basingstoke-based firm found the flaws during its ongoing research into secure payment technologies.

A statement by MWR InfoSecurity on its research was lacking in detail and no one from the firm could be reached for additional comment at the time of going to press. However, in a radio interview, Professor Ross Anderson of Cambridge University told the BBC that the MWR has built on its earlier research into the security of PIN entry devices.

Anderson described the work as "impressive". "We had already known that you could disrupt the operation of a payment terminal by inserting a malicious programmed smartcard but what MWR has done is to develop this into an exploitable attack. It's yet another vulnerability in the Chip and PIN system."

MWR has notified the vendors involved – more than one is undertood to be affected – but is withholding names and other details because the devices concerned are currently being used at thousands of retail outlets in the UK and around the world. It is urging an industry-wide review of retail Chip and PIN entry devices.

Don't Panic

In a statement, the UK Cards Association said it was investigating the attack scenario while stressing that no attack of this type has actually been recorded.

We are currently assessing the implications of research by MWR InfoSecurity which, on the face of it, outline a possible means of attack on PIN entry devices. Those seeking to commit fraud are constantly searching for new ways to breach the security of the payments system and we take all threats very seriously.

The attack described targets point-of-sale card acceptance devices in retail outlets. It is not an attack on chip cards themselves (including contactless cards) or cash machines.

Importantly, we have no evidence of this type of attack occurring, either in the UK or anywhere else in the world where chip & PIN is in use. That said, working with partners across the industry, we are urgently identifying measures to exclude any risks.

Levels of card fraud are at their lowest since 2000. Card holders who are the innocent victims of fraud have excellent legal protection, meaning they will not suffer any financial loss as a result.

Ian Shaw, managing director of MWR InfoSecurity, said in a statement that the lack of security in Chip and PIN machines is putting millions of businesses around the globe at potential risk.

"Whilst criminal attacks are unlikely to be happening on a widespread basis currently, the vulnerabilities exist and previous patterns suggest that attacks like this are only a matter of time," Shaw said. "We test a lot of technology used in sensitive banking and retail payment environments and were surprised at how vulnerable many PIN Pads are to these kinds of attacks." ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Fiendishly complex password app extension ships for iOS 8
Just slip it in, won't hurt a bit, 1Password makers urge devs
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.