By Tom Espiner, 6 February 2007 16:40
NEWS
Two Cambridge researchers have devised a relay attack with a hacked chip and PIN terminal that could enable attackers to bypass bank card security measures.
Saar Drimer and Steven Murdoch, members of the Cambridge University Computer Laboratory, have demonstrated a hack that could compromise a supposedly tamper-proof chip and PIN terminal by relaying card information between a fake card and a genuine one.
In the prototype attack demonstrated by Drimer and Murdoch, a customer attempts to pay a restaurant bill by keying their PIN into a chip and PIN terminal that looks real but has actually been tampered with.
Instead of connecting to the customer's bank, the terminal connects to a laptop elsewhere in the restaurant and relays the card information to it. A second laptop -which is linked by a GSM connection (or, potentially, wi-fi) to the first - is carried by an accomplice who is waiting in a jewellery shop across town. This laptop, which is also wired up to a modified bank card, receives the data relayed from the legitimate card in the restaurant.
In the prototype system built by the Cambridge pair, the chip has been removed from the modified card and the card is connected to a laptop concealed in a rucksack - via wires running up the sleeve of the scammer. Such a set-up could arouse suspicion if detected but the researchers believe it is possible to make the card more difficult to detect by using an RFID chip which could communicate wirelessly with the laptop.
Once the restaurant customer has entered their PIN, the criminal in the jewellery shop puts the fake card in the shop's terminal. All transactions from the jeweller's terminal are relayed via the fake card, the two laptops and the fake terminal to the legitimate card.
This links the jeweller's terminal to the victim's bank. As the criminals control the terminal in the restaurant, they can make it display that the victim will pay £20, when in reality he or she is being charged £2,000 at the jeweller's for a diamond ring.
During this relay attack the criminals don't need to hack into any systems or run any decryption, as data is simply being relayed from one terminal to another.
The researchers were unwilling to reveal too much of the technology behind the attack, as they don't want their methods falling into the wrong hands. Nevertheless, they told silicon.com sister site ZDNet UK a Field Programmable Gate Array - a semiconductor device containing programmable logic components and programmable interconnects - was used in the fake card.
Drimer said: "The restaurant patron has got their meal for free, as the £20 has never been charged. But they will have been charged £2,000 at the jeweller's."
He claimed the fraud would be difficult for police to trace, as the victim might only notice once they received a bank statement. They would need to remember where they were when the fraud occurred, as the transaction would show from the jeweller's, not the restaurant.
He added: "A criminal could have a fast turnaround from this type of attack - most likely it would not be detected."
The researchers' goal was to prove that chip and PIN systems are not infallible. "Chip and PIN currently does not defend against this attack, despite assertions from the banking community that customers must be liable for frauds in which the PIN was used," they said, in an as-yet-unpublished paper.
They added: "When customers pay with a chip and PIN card, they have no choice but to trust the terminal when it displays the amount of the transaction. The terminal, however, could be replaced with a malicious one, without showing any outward traces."
Tom Espiner writes for ZDNet UK
Comments
There are 7 comments. Join the discussion
1. anonymous
Not sure why this is news, anyone clever enough to re-wire any payment terminal (including magnetic stripe payments) could snatch the card details. Any system can be broken if you replace a trusted link.
2. anonymous
Watchdog BBC1 tonight hit the nail on the head when it showed victims of fraud whose cards had been used fraudulenlty before they noticed them lost or stolen being held liable for the cost of fraud.
If the industry can't keep your PIN secret then how can they hold anyone liable for PIN abuse or misuse?
Glad I opted for Chip & Signature. I can never be held liable or accused of PIN negligence and crooks can't hit ATMs with my cards.
3. Gareth Evans
Clearly this attack could never be widespread and needs an a considerable amount of insider help. This sort of research should be kept to themselves and shared with APACS and not be used to make the general public sceptical about the security of the chip and Pin system
4. Lawrence McNulty
How does the criminal manage to tamper with the restaurant terminal without the proprietor knowing about it? Or is the suggestion that the restauranter is part of the scam?
5. Nick Price
It is my understanding - I hope I am wrong! - that messages, including PIN numbers, passed between wireless hand-held terminals and their base units are not encrypted. If this is the case, there would seem to be a rather large loophole
6. Sarah
I watched the Watchdog programme last night and despite how clever this is, I have been wondering why anyone wishing to steal details from someone needs to go to that length.
The number of times I have stood behind someone in a queue in a shop and watched them key in their PIN number in full view of everyone (including me) around. People are the biggest weak link here and until people start taking care to keep their PIN secure, then card crime will continue with or without the aid of technology like this.
7. anonymous
I have been dealing with one of those card protection schemes.
They say "Now you're not covered for fraud by you bank because of advent of Chip and Pin".
It's pretty worrying that banks may argue "How could this fraud have happened as you're the only one that knows your Chip and Pin?"
It makes you wonder if retailers should retain CCTV footage for 2-3 months. Given storage devices now available that shouldn't be too difficult.
Digital cams so cheap should retailers start asking if they can take some photos of the person holding up their card to their face (with the shades off obviously) when spending £2K on a diamond ring?
But hey even if such moves prove it wasn't you, it won't mean the fraudster if caught, will be imprisoned.