Threat Center Security News Exploitaiton found in credit card readers
Exploitaiton found in credit card readers Print E-mail
Written by Rebecca Mints   
Thursday, 28 February 2008 15:46

A team of reasearchers from Cambridge University has discovered a way to steal credit card numbers and PINs from cards inserted into two different manufacturers PIN Entry Devices (PEDs).

The attack works by stealing the data that is transmitted back and forth between the credit card and the PIN entry pad.  There is a flaw in the data encryption of the PEDs made by Ingenico and Dione, and it allows a would-be criminal to steal the credit card number as well as the PIN.  Cambridge security lab reseacher Ross Anderson remarked "“Armed with this information, fraudsters can create a counterfeit card and withdraw cash from ATMs abroad. We have successfully demonstrated the attack, on a real terminal.”

Although there is a standard set forth by UK company Government Communications Headquarters (GCHQ) that all PEDs are supposed to meet known as the "Common Criteria," the Cambridge team does not know how the security checks on the devices were performed.  “GCHQ has not heard of the work and says that the devices were never certified under the Common Criteria,” said the research group.  They went on to suggest that vendors remove PEDs until a solution is put into action.

The manufacturers of the PEDs say that things have been blown out of proportion and that there is no cause for alarm.   Scottish PED maker Ingenico was quoted as saying “Retailers and card users should rest assured that the devices, from various suppliers, identified by the Cambridge University scientists, remain among the most secure terminals on the market and have contributed to card fraud at UK retailers falling by up to 47 per cent year-on-year," and “the method identified by the Cambridge University paper requires specialist knowledge and has inherent technical difficulties. This method is therefore not reproducible on a large scale, nor does it take into account the fraud monitoring used throughout the industry."

A paper from the Cambridge research team regarding the vulnerability will be presented at the IEEE Symposium on Security and Privacy conference in Oakland, California, in May.


Scientists expose vulnerability in credit card readers

New Scientist

Credit card readers 'vulnerable to attack'



WTW Threat Level