Click here
Click here
Sections
Menu
Text size
A | A | A
Click here
Retail Job Search

4688 jobs online

Job title
Location
Minimum salary
More retail jobs >>
Suppliers Guide Search
Search for a supplier...
RSS feeds
RSS News feed ePaynews
RSS News feed Retail News

UK Researchers Say Chip Card Terminal Cracked

Two Cambridge University computer security researchers say they have found a way to steal cardholder information from EMV chip card terminals.

As part of an EMV security project, the researchers, Saar Drimer and Steven Murdoch, bought a chip card terminal on eBay. They then opened up the terminal and removed its original circuitry apart from the keypad and LCD screen.

The researchers inserted their own hardware into the terminal, including a chip card reader. They say they were then able to read the cardholder information stored on an EMV cardÆs chip and capture the associated PIN.

But a spokesperson for UK payments body APACS, tells epaynews, "the terminal used in this research was not a chip-and-PIN terminal, but an older chip-and-signature machine." The first generation of EMV cards in the UK was known as chip-and-signature cards, as, instead of using a PIN for authentication, they still required a signature. The current generation, known as chip-and-PIN cards, requires the cardholder to enter a PIN.

"As a chip-and-signature terminal, the device has none of the tamper-responsive switches designed to protect a PINpad,ö says APACS Sandra Quinn. "The manufacturers stopped shipping this particular device type in 2002."

Drimer says APACS is missing the point. "How can customers tell whether a terminal they are presented with is a real chip-and-PIN terminal or a chip-and-signature terminal?ö he says. "The question is: will people insert their card into that terminal and punch in their PIN? The answer is yes."

The researchers say they were able to tamper with the terminal without giving any sign that its internal electronics had been altered. This means that cardholders could use a terminal in a store that had been tampered with by a dishonest employee, without realizing their card information was being stolen, he warns.

"We captured all the information needed to produce a magnetic-stripe card, which along with the PIN, will still work in many ATMs to withdraw cash," says Murdoch. "This information could also be used to create a fake chip card, which would work in offline, but not online, point-of-sale transactions."

In an offline chip-and-PIN transaction, the POS terminal does not go online to the acquirer to authenticate the card. Authentication takes place solely through the cardholder entering their PIN in an offline transaction.

"This (research) shows one vulnerability that all electronic PINpads suffer from," says Anthony Pickup, an EMV specialist with UK firm ConsultHyperion. "The issue is how much time and cost is required to ensure that any tamper-resistant device is rebuilt in order to look as if it has not been altered."

Related Links
Chiip and Spin (PDF)
Chip & PIN terminal playing Tetris
www.apacs.org.uk
Consult Hyperion
Tesco Self-scanning Tills "Open to Fraud"
Israeli Researchers Warn of PIN Security Flaws
PricewaterhouseCoopers Backs Rival to Chip-and-PIN
Add a comment
Your name:
Comment:
 
 
Enter the characters from the image above
 
Printer friendly version  |  Email to a friend
Add to Technorati Add to del.icio.us bookmarks Digg this Post this story to Blinklist Post this story to Furl Post this story to Reddit Post this story to Newsvine Post this story to Slashdot Post this story to StumbleUpon Bookmark with Google Post this story to Facebook