Tuesday, 26 February 2008
Saar Drimer, Steven J. Murdoch and Ross Anderson, researchers at the Computer Laboratory, University of Cambridge, have shown that Chip & PIN machines are not as secure as the banking industry claims. Two widely deployed models of PIN Entry Devices (PEDs), the Ingenico i3300 and Dione Xtreme, fail to protect customers' card details and PINs adequately.
Fraudsters can easily attach to the PED a “tap” that records PIN and account details as they are transmitted between the card and the PIN pad. Armed with this information, fraudsters can create a counterfeit card and withdraw cash from ATMs abroad.
Murdoch says, “We have successfully demonstrated this attack, on a real terminal borrowed from a merchant.”
Criminals are already using techniques similar to these to defraud British customers, with losses in one case alone claimed to be in eight figures. The technical sophistication required to carry out this attack is low, and fraudsters have already shown they have the necessary skills. The tap would not normally be visible to customers, and in the case of the Ingenico PED it could be totally enclosed by the device.
Drimer says, “The vulnerabilities we found were caused by a series of design errors by the manufacturers. They can be exploited because Britain's banks set up the Chip & PIN in an insecure way.” He continued: “These PEDs failed to protect the communication path that carries the card data from the card to the PIN pad, and that carries the PIN from the PIN pad back to the card. A villain who taps this gets all the information he needs to make a fake card, and to use it.”
The Cambridge attacks call into question the system under which bank terminals are certified. Visa and APACS certified these devices as secure, and the vendors are pushing retailers to buy certified devices. But the evaluators did not find the flaws identified by the Cambridge team. The Protection Profile – the target used by the evaluators – was approved by GCHQ, and yet the Cambridge work has shown it was unrealistic. APACS and Visa claimed the devices were evaluated under the Common Criteria, an international evaluation scheme administered in the UK by GCHQ; yet GCHQ had not heard of the work and now says that the devices were never certified under the Common Criteria.
Visa and APACS have refused to disclose the evaluation report and to withdraw the vulnerable terminals from use. The vendors are passing the buck to APACS and Visa, and GCHQ is claiming they knew nothing of what was going on.Ross Anderson, professor of Security Engineering at Cambridge, says, “The lessons we learned are not limited to banking. Other fields, from as voting machines to electronic medical record systems, suffer from the same combination of stupid mistakes, sham evaluations and obstructive authorities. Where the public are forced to rely on the security of a system, we need honest security evaluations that are published and subjected to peer review.”
The attack will be featured on Newsnight, including a demonstration of it being deployed in practice. Watch BBC Two, 10:30pm, Tuesday 26 February 2008.
The Cambridge team's results are also to be presented at the the academic conference “IEEE Symposium on Security and Privacy”, Oakland, CA, US, May 2008.