Oh, great!

February 28th, 2008

Chip & PIN terminals vulnerable to simple attacks:

February 26th, 2008 at 20:33 UTC by Saar Drimer

Steven J. Murdoch, Ross Anderson and I looked at how well PIN entry devices (PEDs) protect cardholder data. Our paper will be published at the IEEE Symposium on Security and Privacy in May, though an extended version is available as a technical report. A segment about this work will appear on BBC Two’s Newsnight at 22:30 tonight.

We were able to demonstrate that two of the most popular PEDs in the UK — the Ingenico i3300 and Dione Xtreme — are vulnerable to a “tapping attack” using a paper clip, a needle and a small recording device. This allows us to record the data exchanged between the card and the PED’s processor without triggering tamper proofing mechanisms, and in clear violation of their supposed security properties. This attack can capture the card’s PIN because UK banks have opted to issue cheaper cards that do not use asymmetric cryptography to encrypt data between the card and PED. […]

(For UK-based readers, the Newsnight program referred to is available at the BBC iPlayer for another four days.)

I recognise both those Chip & PIN terminals from the photos in Saar Drimer’s post: pretty much every shop I visit on a regular basis seems to use one or the other of them.

[Via Qwghlm]

This entry was posted on Thursday, February 28th, 2008 at 12:02 am. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

Oh, great!

February 28th, 2008

This entry was posted on Thursday, February 28th, 2008 at 12:02 am. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

Leave a Reply

Search

Recent Comments