UK Researchers Hack Chip and PIN Security

Chip and PIN is a UK government-backed security measure that requires customers to present both a four-digit PIN and a bank card containing a smart chip in order to complete a purchase.

Backers of the Chip and PIN approach -- which went into effect last year -- have argued that the system offers a much higher level of security than previous schemes. Also, they claimed that because the PIN must be present before purchases can be made, consumers should be held liable for fraudulent purchases.

The two researchers, Saar Drimer and Steven Murdoch, members of the Cambridge University Computer Laboratory, demonstrated last month how to hijack a card reader to play the video game Tetris.

Now, they claim in an as-yet-unpublished paper that they rigged a card reader to intercept a card holder's information during a transaction, data that could later be used to make fraudulent purchases.

Interception of Data

The banks supporting the chip and PIN program note that there is no evidence of any fraud involving cards using the stronger security systems.

However, the researchers' ability to hack the program suggests that criminals would, over time, figure a way around the security measures.

Though Chip and PIN is a UK program, a debate over which form of in-store payment is also taking place in the U.S. where bank debit cards that require consumers to enter PIN numbers in to keypads are often used alongside credit cards that require only a signature.

The UK program was based on the belief that requiring a PIN provides higher security than a signature, which can be forged.

Meanwhile, the much larger question remains unanswered: What is the best process for conducting secure purchases in general, including online transactions?

Security and privacy pitfalls remain a potential barrier to future e-commerce growth, especially among those who have been reluctant to make online purchases.

For example, online payment provider PayPal recently said it would begin offering automated password generators that would give its users a higher degree of security and protection against phishing and identity theft.

In the U.S., many banks and financial services companies have been reluctant to impose additional requirements for authentication, not because of security concerns but because they don't want to add additional steps to the checkout process, Gartner (NYSE: IT) analyst Avivah Litan said.

"Consumers are very interested in convenience, but there are instances where a higher level of security is called for," Litan said. "Figuring out the best blend to balance those concerns is something every bank and retailer, online and offline, is engaged in to some degree."

Inside the Hack

In the hack scenario, created by Cambridge Computer Laboratory's Drimer and Murdoch, a fake card reader is installed in a restaurant. When a payment card is swiped to make a payment, the fake terminal reads the data and records the PIN. That data is sent to a nearby laptop via a wireless network .

An accomplice in another location then uses a fake card that has the smart chip removed and replaced with a wire that connects to another laptop, which feeds the false information to a second card reader when the card is swiped. Data is then sent back to the original reader, which communicates directly with the consumer's bank.

RFID might also be an option for getting around the lack of an actual smart chip in the card, according to Drimer and Murdoch.

The researchers acknowledge that the attack would require near-perfect choreography, but say that showing how the hack works is enough to warrant a reevaluation of the Chip and PIN system's security.

They will not release some of the technological details of their work-around, Drimer and Murdoch said, adding that they have also developed protocols that could prevent the hack scenario from working.