Chip and PIN terminals pwned

Jacob sez, "I'd like to pass on a nice practical attack against the Chip and Pin system used in most of the world Saar Drimer, Steven J. Murdoch and Ross Anderson, researchers at the University of Cambridge, have shown how to compromise supposedly tamper-proof Chip and PIN terminals. With a paperclip, off the shelf electronics, and basic technical skills, fraudsters can capture card details and PINs, then create counterfeit cards. The full results of the team are published their academic paper and were featured on BBC Newsnight." Link (Thanks, Jake!)


  1. I’m not sure how this qualifies as a “nice practical attack against the Chip and Pin system”…

    When my bank account was emptied by someone using ATMs hours from my house while my debit card was still safely in my possession, it didn’t feel like it was the Chip and Pin system that was being victimized. If I had been away somewhere or needed immediate access to my cash, I would have been in trouble. Fortunately I was at home, and a friend was able to lend me the cash I needed until I was able to get to the bank two days later when they refunded my stolen money. In the end it cost my bank (or their insurance company?) and merely inconvenienced me, but had my circumstances been different, the situation could have been dire.

    Proving that the system is weak by publishing this information may undermine the credibility of the Chip and Pin system, but it’s not going to be the system that is going to feel the immediate effects of these “practical attacks.”

    I wonder if there might have been another way to get the point across without providing the world with the resources to put people’s lives in jeopardy. After all, in a capitalistic system, even temporarily separating someone from their money can effectively separate them from their means of survival.

  2. I have to agree with that. I think if you want to do the whole attack the system thing, its going to have to be a fight-club esque affair.

  3. @#1 It’s nice and practical in the sense that it’s easy to do, and not something that can be characterized as an arcane theoretical exploit which won’t work in the real world, which is what credit card companies have traditionally done whenever anyone pointed out the holes in the Emperor’s New Shield.

    That the manufacturers were given 3 months advance notice of the findings and chose to do nothing until these exploits were made public should tell you all you need to know about what does and doesn’t work if you want to get something like this fixed.

  4. The interview at the end is the best bit. I love it when Jeremy Paxman gets stuck into a political or industry mouthpiece and makes them squirm.

  5. Thankfully, I am totally unworried by this news. That credit card doesn’t have any space on it, anyway.

    At any rate, I’m sure that the banking institutions of the world, characterized by their tender affection for their clients and constant worry about their well-being, will just leap to the rescue here and deploy technologies that completely protect us from theft or fraud. As a matter of fact, they’ll probably get on it today.

  6. I love the last bit of the video with the spokesperson .. “There is no vulnerabilities”.. Yes, there is, we bloody well just showed it. “There is no wide-scale fraud” ..So, there is a bit of it? “All systems have inherent vulnerabilities”.. So, you’re saying there are flaws? “No.”

    I’ve installed PIN pads for retailers in the US. There is _no_ security protocol in regards to putting that system in. Just run a cable from the pad to the register PC. Drill a hole in the counter if there isn’t one. That’s it. I don’t even have to show a photo id to the store manager when I come in to change out systems.

    Had no idea what a gold mine I was sitting on!

    Be assured, though, I’m an honest tech. I like non-jail living and my job.

    Everyone should be aware of anything unusual about a card system, one too many menu entries, a mag reader strapped to the side with electrical tape..

    If in doubt, you can always hand the card to the clerk for them to run the card through their terminal’s card reader.. Most modern point-of-systems have this redundancy.

    I’m glad this information is getting out there. A lot of these retailing systems do ‘just enough’ to provide at least the appearence of security.


    More publicity means they might decide to change out the insecure systems, which means they’ll hire me to put them in= win for me!

Comments are closed.