New Attack From The Makers Of Chip And PIN Tetris

from the swipe dept

The same researchers who, last month, made a Chip and PIN payment terminal play a game of Tetris are back with a new, more serious claim about the vulnerability of this widespread payment system in the UK. Chip and PIN is a fairly straightforward system that requires a customer to swipe a card (that contains the chip) and then enter in a PIN, to verify that they're the proper holder of the card. The researchers say that if attackers were able to place a phony terminal in a store or restaurant, then they could execute a fraudulent transaction at another location, simultaneously, on a customer's account. From a technical standpoint, it's an impressive attack, but from a practical standpoint, it doesn't seem particularly worrisome. Even if we assume that the attackers would be able to put a phony terminal somewhere, without it being noticed, the attack would be of limited profitability. Because the fraudulent transaction would have to be done simultaneously, while the legitimate shopper is making a purchase, the attacker couldn't make repeat purchases on someone else's card. For it to be successful, the attacker would have to be browsing for a high-value item, like a diamond, and then be prepared to instantly pay for the purchase as soon as they get the signal. This doesn't seem likely at all. Security researchers, in their rhetoric, often say that the key to security is not technical, but in understanding the human element. However, like the concerns about the iPod+Nike unit that was said to be a threat to privacy, this threat seems mainly technical. While the researchers have demonstrated something interesting, that may warrant further investigation into the system's weaknesses, it doesn't look like a major cause for alarm.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Bumbling old fool, 6 Feb 2007 @ 7:05pm

    Re:

    Wrong, they cannot clone the card just be reading it. The cards never make their key known, they only answer an encrypted question with an excrypted answer.

    That "scam" is indeed prevelant, but only with magnetic strips, it cant be done so simply with chips.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.