“Saar Drimer, Steven J. Murdoch and Ross Anderson, researchers at the Computer Laboratory, University of Cambridge, have shown that Chip & PIN machines are not as secure as the banking industry claims. Two widely deployed models of PIN Entry Devices (PEDs), the Ingenico i3300 and Dione Xtreme, fail to protect customers’ card details and PINs adequately.
Fraudsters can easily attach to the PED a “tap” that records PIN and account details as they are transmitted between the card and the PIN pad. Armed with this information, fraudsters can create a counterfeit card and withdraw cash from ATMs abroad.
Murdoch says, “We have successfully demonstrated this attack, on a real terminal borrowed from a merchant.”
Criminals are already using techniques similar to these to defraud British customers, with losses in one case alone claimed to be in eight figures. The technical sophistication required to carry out this attack is low, and fraudsters have already shown they have the necessary skills. The tap would not normally be visible to customers, and in the case of the Ingenico PED it could be totally enclosed by the device.” (www.cl.cam.ac.uk)
Watch the video below for more information on this issue.
