BlackHat 2012: UK firm MWR InfoSecurity reveals chip and PIN vulnerability

Security firm MWR InfoSecurity shows how retail chip and PIN devices can be attacked easily at the 2012 Black Hat conference in Las Vegas

Retail chip and PIN devices can be attacked easily, exposing banks, retailers and customers to fraud.

Researchers from Basingstoke-based MWR InfoSecurity demonstrated at the 2012 Black Hat conference in Las Vegas that it is possible to attack chip and PIN devices using a specially prepared chip-based credit card.

MWR InfoSecurity’s research team discovered the issues as part of its ongoing research programme into secure payment technologies.

Ian Shaw, managing director of the company, said: “What our researchers have found reveals huge potential for fraud around the world and demonstrates that the software being used in these machines is not up to the job.”

According to Shaw, MWR InfoSecurity researchers found the same vulnerabilities in the major chip and PIN machines – used throughout the UK and around the world – that were found in computers 10 to 15 years ago.

"There is no excuse for this and lessons should have been learnt," said Shaw.

"This lack of security is putting millions of businesses around the globe at potential risk."

In Las Vegas, the researchers demonstrated how a specially prepared chip credit card can be used to pay for an item and generate a receipt that appears to authorise the payment, without the payment being processed.

In a second scenario, the researchers showed how a specially prepared chip credit card can be used to install code on retail devices to harvest all card numbers and PINs from subsequent users, and then how another card can be used at a later date to collect the data and clean up the malware.

Shaw said this technique could be used to clone the magnetic stripe on the card and withdraw cash in countries where chips on debit and credit cards have not yet been rolled out.

"We test a lot of technology used in sensitive banking and retail payment environments and were surprised at how vulnerable many PIN pads are to these kinds of attacks," said Shaw.

There is no doubt that criminals are constantly testing these systems, Shaw said, and it is surprising manufacturers have done little to safeguard retailers and card users.

MWR has notified the suppliers affected by the techniques and have assisted with the relevant information needed to address the identified issues. The suppliers have issued a security update.

MWR believes the industry needs to examine the security of the devices and the software used as a matter of urgency.

"The security standards set for these devices are currently clearly below the required standards many would expect given the sensitive nature of such devices," said Shaw.

More than two years ago, researchers at the University of Cambridge concluded that the flaws in the chip and PIN system were so serious that banks, credit card companies and retailers should consider the system broken, until it is redesigned.

Just last month, a gang of UK chip and PIN fraudsters were jailed for a nationwide scam that netted £725,000 in nine months.

Gang leader Theogenes De Montford was caught with 35,000 stolen credit card details, which would have potentially netted £35m at £1,000 for each cloned card.

Read more on Privacy and data protection