Feeds

Chip and PIN keypads 'easily fooled' with counterfeit cards

Blighty researchers head to Vegas to show 'em how

Choosing a cloud hosting partner with confidence

Black Hat 2012 Retail Chip and PIN devices might easily be attacked using a specially prepared chip-based credit card, according to security researchers.

Researchers from British IT security company MWR InfoSecurity demonstrated the attack at a session during the Black Hat Security Conference in Las Vegas on Wednesday. MWR purchased the smartcards used in its demo for £40.

The researchers showed how a specially prepared chip-based credit card might be used to pay for an item. The PIN Pad device produces a receipt that appears to authorise the payment that is never actually processed, thereby exposing merchants to fraud.

In a second demonstrated attack scenario, researchers showed how a specially prepared card containing malware can be used to infect a PIN entry device, installing code capable of harvesting card numbers and PINs from cards subsequently used on the compromised terminal. The attacker might be able to return later with another malicious card in order to collect harvested numbers and PINs before cleaning off the malware.

Cloned cards might subsequently be produced with counterfeit magnetic stripes. These cards might be used to withdraws funds from ATMs in countries where Chip and PIN is yet to be introduced.

MWR InfoSecurity has also identified examples of network and interface attacks, similar to those reported by German researchers SR labs on other devices recently. The Basingstoke-based firm found the flaws during its ongoing research into secure payment technologies.

A statement by MWR InfoSecurity on its research was lacking in detail and no one from the firm could be reached for additional comment at the time of going to press. However, in a radio interview, Professor Ross Anderson of Cambridge University told the BBC that the MWR has built on its earlier research into the security of PIN entry devices.

Anderson described the work as "impressive". "We had already known that you could disrupt the operation of a payment terminal by inserting a malicious programmed smartcard but what MWR has done is to develop this into an exploitable attack. It's yet another vulnerability in the Chip and PIN system."

MWR has notified the vendors involved – more than one is undertood to be affected – but is withholding names and other details because the devices concerned are currently being used at thousands of retail outlets in the UK and around the world. It is urging an industry-wide review of retail Chip and PIN entry devices.

Don't Panic

In a statement, the UK Cards Association said it was investigating the attack scenario while stressing that no attack of this type has actually been recorded.

We are currently assessing the implications of research by MWR InfoSecurity which, on the face of it, outline a possible means of attack on PIN entry devices. Those seeking to commit fraud are constantly searching for new ways to breach the security of the payments system and we take all threats very seriously.

The attack described targets point-of-sale card acceptance devices in retail outlets. It is not an attack on chip cards themselves (including contactless cards) or cash machines.

Importantly, we have no evidence of this type of attack occurring, either in the UK or anywhere else in the world where chip & PIN is in use. That said, working with partners across the industry, we are urgently identifying measures to exclude any risks.

Levels of card fraud are at their lowest since 2000. Card holders who are the innocent victims of fraud have excellent legal protection, meaning they will not suffer any financial loss as a result.

Ian Shaw, managing director of MWR InfoSecurity, said in a statement that the lack of security in Chip and PIN machines is putting millions of businesses around the globe at potential risk.

"Whilst criminal attacks are unlikely to be happening on a widespread basis currently, the vulnerabilities exist and previous patterns suggest that attacks like this are only a matter of time," Shaw said. "We test a lot of technology used in sensitive banking and retail payment environments and were surprised at how vulnerable many PIN Pads are to these kinds of attacks." ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
China is ALREADY spying on Apple iCloud users, watchdog claims
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.