Chip-and-Pin Vulnerable To Subtle Trickery 64
An anonymous reader writes "Cambridge University researchers, in an investigation for BBC Television's Watchdog programme, have demonstrated a man-in-the-middle attack for the chip-and-pin credit card security system used throughout the UK and Europe. In the attack, the card is inserted into a card-reader that has been tampered with, and the information transmitted in real-time to an accomplice who uses a specially modified card to make a higher-value purchase elsewhere. The modified card-reader shows only the expected amount, but the larger amount is deducted from the victim's bank account. It would not be easy to use this method in practice because the two transactions must be made simultaneously. The same team recently demonstrated a hacked chip-and-pin terminal playing Tetris."
attack easly detected (Score:4, Interesting)
The attack is proof of concept, but it leaves too much of a trail.
nothing new here (Score:2, Interesting)
Re:The Tetris hack was a fake (Score:3, Interesting)
The there is no connection between the bank and the card-reader that has been tampered with. As far as the bank is able to see, there has been a legitimate transaction for £2000. As far as the victim sees, the transaction is for only £20 (until he receives his statement one month later).
The point is: the actual transaction is £2000. The trickery is making the victim believe he is authorising a transaction of only £20 by presenting him with a fake terminal.
I believe also that this hack does not allow the card to be copied. My guess is that there is a one-time transaction code that the researchers cannot (yet) reproduce - remember this is a man-in-the-middle attack. That's why the victim's apparent authorisation of the £20 has to coincide with the real authorisation of the £2000.
I don't get it (Score:3, Interesting)
I think Bruce Schneier's paper [schneier.com] said it best. Sure the card is trustworthy, but when you're using any kind of smartcard, the card isn't the trust boundary. The card plus the computer (or pinpad in this case) that you're using it on is your trusted device conglomerate.
I think the real demonstration of this attack is that pinpads have vulnerabilities. Even that isn't earth-shattering. So does everything else where physical access is granted.
Which isn't to say that it isn't newsworthy (people should definitely be careful where they stick their card), but it does feed into idea #4 on the six dumbest ideas in computer security [ranum.com].