Researchers at Cambridge University Computer Laboratory,
have shown thatChip & Pin
machinesare not as secure as the banking
industry claims.
Researchers have said that two widely deployed models fail to
protect customers' card details and Pins adequately.
Disclosures on the alleged weaknesses in the security of the
systems are due to be made on BBC 2's Newsnight this evening (26
February 2008).
Fraudsters, say the researchers, can easily attach to the Pin
entry device a "tap" that records Pin and account details as they
are transmitted between the card and the Pin pad. Armed with this
information, fraudsters can create a counterfeit card and withdraw
cash from ATMs abroad.
One of the researchers, Steven Murdoch says, "We have
successfully demonstrated this attack, on a real terminal borrowed
from a merchant."
The researchers also question the system under which bank
terminals are certified.
Ross Anderson, professor of Security Engineering at Cambridge,
says that the weaknesses exposed by Cambridge researchers apply to
other equipment such as voting machines to electronic medical
record systems. He said, "Where the public are forced to rely on
the security of a system, we need honest security evaluations that
are published and subjected to peer review."
Chip and pin flaws - are security evaluations robust?
>>