Tuesday, March 4, 2008

Stealing Your PIN with a Paperclip or a Needle

Researchers at the University of Cambridge have found simple ways to compromise bank card readers. The next time you’re at a store punching your PIN into a debit card reader, if there is a paperclip or needle sticking out the back of the reader, you should be suspicious.

The researchers Drimer, Murdoch, and Anderson have documented their findings in this technical report. They chose two different models of card reader and bought two each of them online for a total of $80 for the four readers. They then took one of each type apart to see how it worked and were then able to compromise the other readers simply.

The card readers they examined were actually a type that is intended to work with higher security bank cards called smart cards. Instead of just a magnetic stripe, these cards contain a microchip that gives higher security. These cards are being deployed throughout Europe and are currently being tested in Canada.

The researchers were able to probe the inside of the reader to get PINs and customer identities. This information makes it possible to make a duplicate bank card that can be used with the stolen PIN to clean out the victim’s bank account.

For one type of reader the researchers poked a paperclip through an existing hole in the back of the reader to access internal information. For the other type of reader, they had to drill a tiny hole and insert a needle. In both cases they then connected a wire to the paperclip or needle and ran the wire to a device to store PINs and customer identities.

The researchers also demonstrated their attack for television: “Having tested this attack in the laboratory, we repeated it in the field for the BBC ‘Newsnight’ programme; we tapped a terminal in a London shop and, during a transaction, extracted the card and PIN details for a journalist’s card without triggering the tamper detection system.”

Although these attacks were carried out against smart card readers, the problem has nothing to do with whether the bank card is a smart card or regular magnetic stripe card. The researchers were able to bypass security and read out important information from inside the card reader.

In North America customers are protected financially from attacks like this because they are usually not held liable. The results can be very distressing while the problem is being sorted out, but in the end customers rarely lose the stolen money.

According to the researchers, the situation is much different in the UK. They say that their results “will encourage improved security and better treatment of customers, who are often blamed for fraud.”

No comments:

Post a Comment