New Attack From The Makers Of Chip And PIN Tetris

from the swipe dept

The same researchers who, last month, made a Chip and PIN payment terminal play a game of Tetris are back with a new, more serious claim about the vulnerability of this widespread payment system in the UK. Chip and PIN is a fairly straightforward system that requires a customer to swipe a card (that contains the chip) and then enter in a PIN, to verify that they're the proper holder of the card. The researchers say that if attackers were able to place a phony terminal in a store or restaurant, then they could execute a fraudulent transaction at another location, simultaneously, on a customer's account. From a technical standpoint, it's an impressive attack, but from a practical standpoint, it doesn't seem particularly worrisome. Even if we assume that the attackers would be able to put a phony terminal somewhere, without it being noticed, the attack would be of limited profitability. Because the fraudulent transaction would have to be done simultaneously, while the legitimate shopper is making a purchase, the attacker couldn't make repeat purchases on someone else's card. For it to be successful, the attacker would have to be browsing for a high-value item, like a diamond, and then be prepared to instantly pay for the purchase as soon as they get the signal. This doesn't seem likely at all. Security researchers, in their rhetoric, often say that the key to security is not technical, but in understanding the human element. However, like the concerns about the iPod+Nike unit that was said to be a threat to privacy, this threat seems mainly technical. While the researchers have demonstrated something interesting, that may warrant further investigation into the system's weaknesses, it doesn't look like a major cause for alarm.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    fuse5k, 7 Feb 2007 @ 2:32am

    Last night in the uk Watchdog (consumer TV program)Did the trick in question.

    They had someone buy a load of books, as the victim was paying for coffee elsewhere.

    Chip and pin is a mess, the only reason why banks are putting it in place is to reduce their fraud outgoings.


    When you had to sign for things, if your card was stolen and used, then the bank had to pay you back the money that was taken.

    However if someone uses the pin, you are deemed to have been negligent, and the bank doesnt have to pay out a penny.

    Safer, my arse... The only thing that is safer is the bank's profits...

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.