‘Chip and PIN’ Not Enough Secured, Demonstrate Researchers

Two researchers in U.K. demonstrated the way to hack a security system in which a user needs to key in a four-digit number for a credit or debit card transaction. In the first week of February this year they claimed that they had tapped a cardholder's details during a transaction, so that the information could be used later to make unauthorized purchases.

Saar Drimer and Steven Murdoch working at the Cambridge University Computer Laboratory showed how to hack and compromise a supposedly secured Chip and PIN terminal by transferring card information between a false card and a real card.

Chip and PIN is a security scheme the U.K. government had initiated in 2006.

In the hack that Drimer and Murdoch demonstrated they installed a fake card reader in a restaurant. When a payment is processed by swiping the card, the fake terminal intercepts the data and records the PIN. The data then gets relayed to a laptop in the vicinity through a wireless network.

An ally in the remote location then uses another fake card after tampering with it. He removes it smart chip and puts a wire in its place that connects to a different laptop. This laptop relays the false card details to a second card reader when a card there is swiped. The information is then transmitted back to the original reader which may instruct for direct withdrawal of money from the consumer's bank.

Since in this attack, the data simply gets relayed from one terminal to another, there is no need for the criminal to intrude into any system or execute any decryption.

The banks allowing the Chip and PIN scheme have noted no evidence of fraud relating to credit or debit cards.

The researchers admit that the attack can work only with a very close coordination, but think the demonstration of the hack would be enough to suggest for a re-evaluation of the security of the Chip and PIN system.

Cambridge Computer Laboratory's Drimer and Murdoch said the work-around involves technological details on the basis of which they have developed protocols that could ward off such hacks.

Related article: “Loopholes did not cause online banking thefts”: ICBC

» SPAMfighter News - 2/14/2007