Researchers at the University of Cambridge have demonstrated how a chip-and-pin terminal used to authenticate credit and debit card transactions can be compromised to steal sensitive data.
For the proof-of-concept hack, the researchers opened up one of the supposedly tamper-proof terminals, replaced its internal hardware with their own, put it back together without any external evidence of tampering and then got the machine to play Tetris.
The demonstration has been posted on YouTube.
“We demonstrated that with the new hardware, everything is under our control the card reader, the LCD display and the keypad,” said Saar Drimer, one of the researchers involved in the demonstration.
Chip-and-pin transactions are supposed to be far more secure than transactions using credit and debit cards based on traditional magnetic stripe technology and signature-based authentication. Chip-and-pin transactions involve the use of credit and debit cards with embedded microchips that are authenticated using a personal identification number.
Retailers in the UK began rolling out the technology in 2003.
The proof-of-concept hack showed how all components of the pin pads used to authenticate such transactions could be made to interact and respond to input from one another, Drimer said in emailed comments late last week. “This means that the card reader can read information from the chip and display it on the screen. The data from the keypad, such as a pin, can also be recorded,” Drimer said.
Creating fake terminals is not all that difficult and doesn’t require more than a “moderate” technical competency, Drimer said. “The environment in which such terminal would be placed will vary, but can be done potentially anywhere where strict mechanisms are not enforced to prevent it,” he said.
Last March, the same security group at Cambridge University demonstrated a chip-and-pin terminal interceptor technology capable of listening in on the communication between the card and the terminal and then modifying the transaction. “Our current demonstration simply created a legitimately looking, fake terminal that emulates a real one,” Drimer said.
Sandra Quinn, a spokeswoman for APACS http://www.apacs.org.uk/, a UK trade association for the payment industry, said the demonstration highlights a hypothetical situation – not one that is easily replicated in a retail environment.
“What essentially the computer experts at Cambridge University have managed to do is take a terminal out of its natural environment and replace its innards and make it play computer games,” she said. While such tampering might be possible in a laboratory setting, it is not a realistic threat to retailers, according to Quinn. The same has proved true of the interceptor technology demonstrated last year, she said.
At the same time, such hacks show that chip-and-pin terminals are not fail safe, she acknowledged. “We only said they were tamper-resistant, not tamper-proof,” Quinn said.
In May 2006 petrol giant Shell had to suspended chip-and-pin payments in 600 UK petrol stations after more than £1 million was siphoned out of customers’ accounts.
Quinn noted that since the UK began rolling out chip-and-pin technologies in 2003, retail fraud at the point-of-sale system has been dropping. Chip-and-pin has been highly successful in fighting retail-based fraud, which fell 43 per cent in the first half of 2006,” compared with the same period in 2005, she said. For the first half of 2006, retail fraud occurring at point-of-sale systems dropped to just over $81.7m (£42.3m), in comparison with more than $142m (£73.1m) in 2005.
“What is true is that chip-and-pin is not the silver bullet for all card fraud,” Quinn said. “But we are confident that shoppers can continue to use chip-and-pin on High Street with confidence.”
Counterfeit card fraud – Most cases of counterfeit fraud involve skimming, a process where the data on a card’s magnetic stripe is electronically copied onto another card, without the cardholder’s knowledge.
Card-not-present (CNP) fraud – fraud conducted over the internet, by telephone, fax and mail order. It is perpetrated when criminals obtain card details through the theft of your card details. It is the most common type of card fraud in the UK.
Mail non-receipt card fraud – this is when the card is stolen in transit, after being sent out to you from your bank. At particular risk for this type of fraud are properties with communal letterboxes, such as student halls of residence.
For more information on fraud – including the types, levels and what is being done to combat it – can be found at this website.