New Attack From The Makers Of Chip And PIN Tetris

from the swipe dept

The same researchers who, last month, made a Chip and PIN payment terminal play a game of Tetris are back with a new, more serious claim about the vulnerability of this widespread payment system in the UK. Chip and PIN is a fairly straightforward system that requires a customer to swipe a card (that contains the chip) and then enter in a PIN, to verify that they're the proper holder of the card. The researchers say that if attackers were able to place a phony terminal in a store or restaurant, then they could execute a fraudulent transaction at another location, simultaneously, on a customer's account. From a technical standpoint, it's an impressive attack, but from a practical standpoint, it doesn't seem particularly worrisome. Even if we assume that the attackers would be able to put a phony terminal somewhere, without it being noticed, the attack would be of limited profitability. Because the fraudulent transaction would have to be done simultaneously, while the legitimate shopper is making a purchase, the attacker couldn't make repeat purchases on someone else's card. For it to be successful, the attacker would have to be browsing for a high-value item, like a diamond, and then be prepared to instantly pay for the purchase as soon as they get the signal. This doesn't seem likely at all. Security researchers, in their rhetoric, often say that the key to security is not technical, but in understanding the human element. However, like the concerns about the iPod+Nike unit that was said to be a threat to privacy, this threat seems mainly technical. While the researchers have demonstrated something interesting, that may warrant further investigation into the system's weaknesses, it doesn't look like a major cause for alarm.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 6 Feb 2007 @ 8:58pm

    A more complex, but simpler version

    If you had a fake card reader, one which sent the encrypted question once for, say $4000, recrds the answer, sends the error code, and then asks for authourisation for, say, $40. HTe PIN can also be recoreded by te handset, and a modified card written withthe details. HTe man then, a week or a month or whenever walks into a jewelers and spends that much money, or, better still, goes into supermarkets and buys $10 worth of stuff and takes out the limit in cash. HTe only problem would be if the bank recorded cancelled transactions, in whaich case someone might realise what is going on.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.