Feeds

Chip and PIN keypads 'easily fooled' with counterfeit cards

Blighty researchers head to Vegas to show 'em how

5 things you didn’t know about cloud backup

Black Hat 2012 Retail Chip and PIN devices might easily be attacked using a specially prepared chip-based credit card, according to security researchers.

Researchers from British IT security company MWR InfoSecurity demonstrated the attack at a session during the Black Hat Security Conference in Las Vegas on Wednesday. MWR purchased the smartcards used in its demo for £40.

The researchers showed how a specially prepared chip-based credit card might be used to pay for an item. The PIN Pad device produces a receipt that appears to authorise the payment that is never actually processed, thereby exposing merchants to fraud.

In a second demonstrated attack scenario, researchers showed how a specially prepared card containing malware can be used to infect a PIN entry device, installing code capable of harvesting card numbers and PINs from cards subsequently used on the compromised terminal. The attacker might be able to return later with another malicious card in order to collect harvested numbers and PINs before cleaning off the malware.

Cloned cards might subsequently be produced with counterfeit magnetic stripes. These cards might be used to withdraws funds from ATMs in countries where Chip and PIN is yet to be introduced.

MWR InfoSecurity has also identified examples of network and interface attacks, similar to those reported by German researchers SR labs on other devices recently. The Basingstoke-based firm found the flaws during its ongoing research into secure payment technologies.

A statement by MWR InfoSecurity on its research was lacking in detail and no one from the firm could be reached for additional comment at the time of going to press. However, in a radio interview, Professor Ross Anderson of Cambridge University told the BBC that the MWR has built on its earlier research into the security of PIN entry devices.

Anderson described the work as "impressive". "We had already known that you could disrupt the operation of a payment terminal by inserting a malicious programmed smartcard but what MWR has done is to develop this into an exploitable attack. It's yet another vulnerability in the Chip and PIN system."

MWR has notified the vendors involved – more than one is undertood to be affected – but is withholding names and other details because the devices concerned are currently being used at thousands of retail outlets in the UK and around the world. It is urging an industry-wide review of retail Chip and PIN entry devices.

Don't Panic

In a statement, the UK Cards Association said it was investigating the attack scenario while stressing that no attack of this type has actually been recorded.

We are currently assessing the implications of research by MWR InfoSecurity which, on the face of it, outline a possible means of attack on PIN entry devices. Those seeking to commit fraud are constantly searching for new ways to breach the security of the payments system and we take all threats very seriously.

The attack described targets point-of-sale card acceptance devices in retail outlets. It is not an attack on chip cards themselves (including contactless cards) or cash machines.

Importantly, we have no evidence of this type of attack occurring, either in the UK or anywhere else in the world where chip & PIN is in use. That said, working with partners across the industry, we are urgently identifying measures to exclude any risks.

Levels of card fraud are at their lowest since 2000. Card holders who are the innocent victims of fraud have excellent legal protection, meaning they will not suffer any financial loss as a result.

Ian Shaw, managing director of MWR InfoSecurity, said in a statement that the lack of security in Chip and PIN machines is putting millions of businesses around the globe at potential risk.

"Whilst criminal attacks are unlikely to be happening on a widespread basis currently, the vulnerabilities exist and previous patterns suggest that attacks like this are only a matter of time," Shaw said. "We test a lot of technology used in sensitive banking and retail payment environments and were surprised at how vulnerable many PIN Pads are to these kinds of attacks." ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.