27 February 2008, 12:15

Needles used to steal PINs

Serious flaws have been found in two widely used point of sale (EPOS) PIN entry devices (PEDs) examined by the University of Cambridge Computer Laboratory. The researchers found they could readily bypass the supposed tamper-proofing of both terminals and read transaction data. One of the PEDs, manufactured by Ingenico has a rear compartment containing an exposed circuit board that can be probed to pick up the data. The other, the Dione Xtreme, apparently no longer in production but still widely used, merely required a small hole to be drilled in the case to access a signal connector using a long needle. A demonstration on last night's BBC Newsnight programme showed this kind of attack in action.

The Cambridge researchers have pointed out that although the PEDs are loosely described in public as though they were Common Criteria certified, they have in fact only been "evaluated" – examined by an approved lab, but "unlike CC Certified products, the reports are kept secret, and governmental Certification Bodies do not do quality control". It's unclear how rigorous the evaluation process is, but UK security consultant Rob Newby noted in his blog in March 2007 that "There is a team of 8 people working inside VISA for the WHOLE of Europe on PCI, and Mastercard has just 2. That's 10 people evangelising, directing and policing a population of thousands of vendors."

There is also evidence that the problems discovered at Cambridge are not isolated cases. In November 2007 a hardware hack on a Barclays Bank PIN Sentry two-factor authentication device was posted on the web. An SMS interface was coupled to the display driver by a ribbon cable, allowing the one-time authentication key to be transmitted to the user's mobile phone. There was no tamper proofing of any kind on the PIN Sentry.

A leaked APACS review of Chip and Pin states that "Currently, the Chip on a Chip & PIN card provides a tamperproof mechanism to securely hold the PIN, cryptographic keys and counters". While this is literally true, the data in transit are at risk, a problem that could readily be significantly reduced by migration from the plain text card/PED transaction of the Static Data Authentication (SDA) protocol to the encrypted transaction offered by the somewhat more expensive Dynamic Data Authentication protocol. APACS itself admits that "…over time the level of authorisation could drop, allowing the card and terminal to make some risk based decisions … Today, any move to lower authorisation levels - and, therefore, open up the opportunity for fraudsters to exploit cloned SDA cards - must be mitigated with a migration to DDA". The continuing shift in liability for fradulent transactions from the card issuer to the merchant is likely to reduce the incentive to produce secure systems.