Cambridge University researchers hack chip-and-PIN payment terminals

Computerworld - Researchers at the University of Cambridge in the U.K. have demonstrated how a chip-and-PIN terminal used to authenticate credit and debit card transactions in that country can be compromised to steal sensitive data.

For the proof-of-concept hack, the researchers opened up one of the supposedly tamper-proof terminals, replaced its internal hardware with their own, put it back together without any external evidence of tampering and then got the machine to play Tetris.

"We demonstrated that with the new hardware, everything is under our control -- the card reader, the LCD display and the keypad," said Saar Drimer, one of the researchers involved in the demonstration.

Chip-and-PIN transactions are supposed to be far more secure than transactions using credit and debit cards based on traditional magnetic stripe technology and signature-based authentication. Chip-and-PIN transactions involve the use of credit and debit cards with embedded microchips that are authenticated using a personal identification number. Retailers in the U.K. began rolling out the technology in 2003.

The proof-of-concept hack showed how all components of the PIN pads used to authenticate such transactions could be made to interact and respond to input from one another, Drimer said in e-mailed comments late last week. "This means that the card reader can read information from the chip and display it on the screen. The data from the keypad, such as a PIN, can also be recorded," Drimer said.

Creating fake terminals is not all that difficult and doesn't require more than a "moderate" technical competency, Drimer said. "The environment in which such terminal would be placed will vary, but can be done potentially anywhere where strict mechanisms are not enforced to prevent it," he said.

Last March, the same security group at Cambridge University demonstrated a chip-and-PIN terminal interceptor technology capable of listening in on the communication between the card and the terminal and then modifying the transaction. "Our current demonstration simply created a legitimately looking, fake terminal that emulates a real one," Drimer said.

Sandra Quinn, a spokeswoman for APACS, a U.K. trade association for the payment industry, said the demonstration highlights a hypothetical situation -- not one that is easily replicated in a retail environment.

"What essentially the computer experts at Cambridge University have managed to do is take a terminal out of its natural environment and replace its innards and make it play computer games," she said. While such tampering might be possible in a laboratory setting, it is not a realistic threat to retailers, according to Quinn. The same has proved true of the interceptor technology demonstrated last year, she said.

At the same time, such hacks show that chip-and-PIN terminals are not fail-safe, she acknowledged. "We only said they were tamper-resistant, not tamper-proof," Quinn said.

Quinn noted that since the U.K. began rolling out chip-and-PIN-based technologies in 2003, retail fraud at the point-of-sale system has been dropping. "Chip and PIN has been highly successful in fighting retail-based fraud, which fell 43% in the first half of 2006," compared with the same period in 2005, she said. For the first half of 2006, retail fraud occurring at point-of-sale systems dropped to just over $81.7 million, in comparison with more than $142 million in 2005.

"What is true is that chip and PIN is not the silver bullet for all card fraud," Quinn said. "But we are confident that shoppers can continue to use chip and PIN on High Street with confidence."

Read more about security in Computerworld's Security Knowledge Center.