Chip-and-PIN under attack

Chip-and-PIN under attack

Security is questioned as researchers demonstrate simple tampering techniques

The security of Chip-and-PIN-equipped ATMs is being questioned following a demonstration at Cambridge University that the devices can be cracked.

Two widely deployed models of PIN Entry Devices (PEDs) fail to protect customers' card details and PINs adequately, according to the researchers.

By attaching a recording device to the PED, criminals can record account details and use the information along with counterfeit cards.

"We have successfully demonstrated this attack, on a real terminal borrowed from a merchant," Cambridge researcher Steven Murdoch told Computing.

"At first, we thought this would be a straightforward study, but a number of issues have come up, such as inefficient certification procedures," he said.

Visa and UK trade payments association Apacs certified the devices currently in use as secure and evaluators did not find the flaws identified by the Cambridge team.

The credit card company and the trade body claimed the devices were evaluated under the Common Criteria, an international evaluation scheme administered in the UK by the Government Communications Headquarters (GCHQ).

But GCHQ was unaware of the work and now says that the devices were never certified under the Common Criteria, said Murdoch.

And the problem is not limited to the banking industry, said Cambridge professor of Security Engineering Ross Anderson.

"Other fields, from as voting machines to electronic medical record systems, suffer from the same combination of stupid mistakes, sham evaluations and obstructive authorities," he said.

"Where the public are forced to rely on the security of a system, we need honest security evaluations that are published and subjected to peer review."