27 Feb 2008
The security of Chip-and-PIN-equipped ATMs is being questioned following a demonstration at Cambridge University that the devices can be cracked.
Two widely deployed models of PIN Entry Devices (PEDs) fail to protect customers' card details and PINs adequately, according to the researchers.
By attaching a recording device to the PED, criminals can record account details and use the information along with counterfeit cards.
"We have successfully demonstrated this attack, on a real terminal borrowed from a merchant," Cambridge researcher Steven Murdoch told Computing.
"At first, we thought this would be a straightforward study, but a number of issues have come up, such as inefficient certification procedures," he said.
Visa and UK trade payments association Apacs certified the devices currently in use as secure and evaluators did not find the flaws identified by the Cambridge team.
The credit card company and the trade body claimed the devices were evaluated under the Common Criteria, an international evaluation scheme administered in the UK by the Government Communications Headquarters (GCHQ).
But GCHQ was unaware of the work and now says that the devices were never certified under the Common Criteria, said Murdoch.
And the problem is not limited to the banking industry, said Cambridge professor of Security Engineering Ross Anderson.
"Other fields, from as voting machines to electronic medical record systems, suffer from the same combination of stupid mistakes, sham evaluations and obstructive authorities," he said.
"Where the public are forced to rely on the security of a system, we need honest security evaluations that are published and subjected to peer review."
Reports on fraud show that the government and banks should realise that their data protection and Chip and PIN systems are failing to deter fraudsters.
This shows that fraud will continue to grow until they exploit ID KEY system described on website www.xwave.co.uk to make signature and PIN systems reliable and foolproof.
Fake documents have made our signature system unreliable while skimmers and pin-hole cameras etc. have made PIN system unreliable. We have option to make signatures reliable by personalising them with ID stickers and option to use Card Key Code to make PIN system reliable to make use of stolen and skimmed cards meaningless. By ignoring to exploit this system banks are only letting fraud crimes grow.
ID KEY system will eliminate the need for us to protect our personal and card details since fraudsters will be deterred from misusing these stolen details.
Proposed ID KEY can be treated as a reliable international ID card because it will personalise signature and PIN number to only the right individuals in any country.
Posted by: Roger 27 Feb 2008
Have your say on this article
Newsletters
Latest stories from Finance and Reporting
Latest videos
You may also like
Finance and Reporting jobs
Technology Patent Wars
Case studies from large organisations across all sectors
... And rich media, and flexible working, and peaks in traffic ...
Upcoming Events
Join us for this Computing web seminar, in which the Head of BI at the Co-operative Group Nick Colebourn will be explaining just how he reigned in the Group’s sprawling database estate and how significant savings were realised and data quality improved as a result.
Date: 31 May 2012
Time: 11:00 AM
Live June 13th 11:00am: Register now. During this web seminar we will be looking at the sorts of incidents that can bring data centres grinding to a halt and what can be done about them.
Date: 13 Jun 2012
Time: 11:00 am
Receive the latest jobs direct to your inbox
Are you being paid what you are worth?
