Credit Card Readers are Vulnerable to Attacks : two popular PEDs in UK have issues
Posted February 29th, 2008 by Alex Ion
Cambridge University’s computer security lab have discovered vulnerabilities for two popular card readers Ingenico i3300 and Dione Xtreme, that make them an easy pray to attackers, because they fail to protect the card details and the PIN number.
This means that fraudsters with common technical skills could easily use a data-tapping circuit that could be placed between the inserted card and the reading circuit, allowing to record the account number or the PIN. With these details an attacker would have everything need to clone the card and then withdraw cash from an ATM machine abroad.
The three researchers that worked on the case Saar Drimer, Steven J Murdoch and Ross Anderson are not in very good relations with the banks, mainly because they are trying to demonstrate that chip and PIN systems have security issues. The big issue is that the data that is transmitted between the PED and the card are not encrypted.
“The attacks that we’ve shown have demonstrated that it’s easy to get the PIN as well as the card data out of chip and PIN terminal - and this means that simply holding your hand over the terminal is no good, in other words the customer cannot defend himself or herself no matter how astute and careful they are - therefore surely the banks need to take responsibility.” said Professor Ross Anderson in an interview to NewsNight.
Though the findings are real, the Scottish PED maker Ingenico assured customers that the products the Cambridge University researchers talk about are among the most secure on the market and that they helped reducing credit-card fraud by 47% year-by-year. They also mentioned that the way Anderson and his team hacked the PEDs is not as basic as they suggested and the “method is therefore not reproducible on a large scale, nor does it take into account the fraud monitoring used throughout the industry.”
I think Ingenico is running from responsibility and here’s the “How secure is Chip and PIN?” video from NewsNight that demonstrates what Professor Anderson and his staff found out.
