Retail Technology
| Log in | Subscribe



Subscribe | Log in
Retail Technology
Subscribe

Researchers demonstrate "man in the middle" PIN terminal attack

Researchers demonstrate "man in the middle" PIN terminal attack

 

Scientists at the Cambridge University Computer Lab have uncovered a potentially fatal flaw in the chip and PIN technology that could diminish the security of millions of credit and debit cards.

 

Two years ago, the same scientists discovered a method to intercept communications between a PIN terminal and card, skimming enough information to create a cloned card.

 

Now the scientists demonstrated a new, "man in the middle" technique that relies on chip software connected to fake card that tricks the PIN terminal into thinking the PIN has been verified and central systems into thinking the payment was authorised by signature.

 

"We think this is one of the biggest flaws that we've uncovered – that has ever been uncovered - against payment systems, and I've been in this business for 25 years," Professor Ross Anderson from the Cambridge University Computer Laboratory told BBC2’s Newsnight last week.

 

Among a number of industry commentators, opinion on how dangerous this flaw could be in practical terms was divided. Jay Abbott, director of Threat & Vulnerability Management at PricewaterhouseCoopers (PwC), commented: “Essentially, what the scientists have come up with is a very effective and simple way of exploiting weaknesses in the system. However, it is important to bear in mind that the fraud requires a very specific scenario to become effective.

 

From the practical to specialist requirements

 

“A number of electronic components are involved that require concealment, therefore the fraudster must remain in contact with the card at all times. A simple process change by the retailer of asking for the card holder to hand over the card would break the circuit, although this possibility can be eliminated if the card reader is fixed to a point on the other side of the counter.

 

“One of the motivations for introducing chip and PIN in the first place was to give consumers extra protection by limiting the chance of a sales assistant being able to “skim” the card and duplicate it for fraudulent purposes. Also it is important to note that it only affects transactions where the fraudster visits the retailer in person and does not work online or on ATM transactions, where different forms of authentication are required.

 

“At present, the customer is accountable for the fraud as banks argue that PIN verified transactions are secure. Given this attack demonstrates a clear method of bypassing the PIN system, this assertion by the banks stands on shakier ground.”

 

Stephen Howes, chief executive of GrIDsure, believes that the Cambridge research has shown that chip and PIN cards can no longer be considered as a two-factor authentication method: “This latest revelation about chip and PIN cards has, yet again, called into question the confidence we can have in our banks and their attitude to our security. As we’ve seen in recent comments, banks are all trying to hide behind each other by claiming it’s an ‘industry issue’, so the question to be asked is: who is actually going to take responsibility for this?

 

“As we know, the banking industry is self-regulated, so it can’t just bury its head in the sand, especially when it’s responsible for policing its own fraud. Consumers are being forced to use a system that has been shown to be broken, and ultimately it will be consumers who suffer.

 

Alarm and concern among consumers

 

“These Cambridge scientists have unearthed a fundamental flaw in the system and I think most people will be gobsmacked. Effectively they’ve discovered that chip and PIN can no longer be considered a two-factor solution and banks must consider making a wholesale change to their approach to fraud, which certainly won’t just take five minutes.”

 

Presenting another point of view, Gareth Wokes, chairman of secure payment specialist The Logic Group, which handles transactions across more than 250,000 points of sale (PoS) in the UK, said the publicity is “an attempt to draw attention to the wrong issue”.

 

“I find the tone of this dumbed-down research alarmist. Fraudsters are always pushing the barriers and trying to find new ways to navigate security measures; it is not a static situation,” said Wokes. “And just as the fraudsters continue to innovate so too does the payment industry, which invests vast sums of money in continuous improvements to card payment security. The unfortunate reality is that whatever banks, card schemes and specialists do, they will always have to invest more to combat fraud.

 

“In that respect Professor Anderson’s claim that the banks will have to re-write the software around the entire chip and PIN system also misses the point – they are constantly improving card payment security and will continue to do so as long as card fraud exists. It is like worrying that thieves might be able to reprogramme the burglar alarm, when the doors and windows have been left open.

 

Chip and PIN in the dock

 

“To position this as an overall failure of chip and PIN is also misleading and counter-productive to the industry’s efforts against fraud. Chip and PIN successfully addressed the issue that it was created to address; that the person making a transaction is who they say they are. As such a year after chip and PIN was introduced card fraud dropped by 48%. The issue is that fraudsters then moved on to eCommerce fraud (where chip and PIN is irrelevant), which is why fraud figures subsequently began to increase again. It’s a constant battle to close down loopholes and the rules of engagement change month-to-month and even day-to-day.

 

“Despite the alarmist tone to this story our clients will keep this in perspective; they are aware of the risks and similarly aware of the ongoing effort to address those risks, and are in discussion with our consultants with regard to card payment security on a daily basis. In this respect there is something to be learned from the American approach – in the US card data breaches must be made public, whereas the tendency in the UK is for breaches to be buried, unless the media hear about them first. This certainly doesn’t allow for an informed debate – but does provide an environment for alarmist reaction to risks that we are all aware of.

 

“To suggest that the banks, card schemes and payment specialists are doing nothing to improve security is nonsense. The industry works towards a mandated standard, launched some years ago to protect cardholder data, known as the Payment Card Industry Data Security Standard (PCI DSS). There are hundreds of incredibly prescriptive standards that businesses must achieve – and are fined if they do not do so. Again the framework evolves constantly just as the threat to card security does. It is not a panacea – fraudsters are resourceful and have been more active than ever during the peak of the recession. It does however represent a continued effort on behalf of the industry in terms of resource and investment to stay ahead of the fraud curve.

 

“The Logic Group carries out an annual survey of PCI DSS compliance within the UK and the November 2009 results showed that only 25% of retailers are currently compliant. This is of much greater concern overall, than focusing on one specific technical issue, within what is a generally secure solution.”