杏吧原创

How secure are credit-card devices?

Point-of-sale machines designed to verify credit and debit cards using a PIN may be vulnerable to hardware attacks that allow crooks to steal PINs

THE point-of-sale machines designed to verify chip-and-PIN credit and debit cards may be vulnerable to hardware attacks that allow crooks to steal PINs.

Ross Anderson, Saar Drimer and Steven Murdoch at the University of Cambridge computer security lab discovered that it is possible to attach a simple data-tapping circuit between an inserted card and the reading circuit of two common PIN entry devices (PEDs) 鈥 made by Ingenico and Dione. This could allow someone to record both the account number and the PIN. 鈥淎rmed with this, fraudsters can counterfeit cards and withdraw cash from ATMs [in countries without chip-and-PIN systems],鈥 says Anderson. 鈥淲e have successfully demonstrated the attack,鈥 he adds.

鈥淭hese PEDs fail to protect the communication path that carries data from the card to the PIN keypad, and that carries the PIN from the keypad back to the card,鈥 says Drimer.

鈥淭he devices fail to protect the path carrying the card data to the keypad鈥

The researchers say that little technical sophistication is required to carry out the attack. They also question the system under which PEDs are certified as secure.

PEDs are supposed to be evaluated under a checking regime called the 鈥渃ommon criteria鈥, originally developed by the UK Government Communications Headquarters (GCHQ) in Cheltenham, Gloucestershire. However, the Cambridge team says GCHQ, which licenses UK labs to carry out security checks, has no evidence that such checks were performed on the Ingenico and Dione devices. And because it is possible for the extra data-tapping circuitry to be attached to the devices, they do not meet common criteria standards, the researchers say. They are calling for the vendors to withdraw the two PEDs in question until the alleged flaws are fixed.

But Ingenico, which is based in Edinburgh, UK, says its devices 鈥渞emain among the most secure terminals on the market鈥 and disputes the researchers鈥 claim that their attack was of low sophistication. 鈥淭he method identified by the Cambridge University team requires specialist knowledge and has inherent technical difficulties,鈥 the company says in a statement. 鈥淭his method is therefore not reproducible on a large scale, nor does it take into account the fraud monitoring used throughout the industry.鈥

Computer Viruses 鈥 Learn more about the threats to your PC in our comprehensive .