Chip and pin vulnerable to relay attack
/v3-uk/news/1943631/chip-pin-vulnerable-relay-attack
07 Feb 2007, Clement James , V3
The Cambridge University computer scientists who hacked a chip and Pin terminal to play Tetris are back with a new exploit.
Saar Drimer and Steven Murdoch claimed that the system is vulnerable to a new kind of fraud which involves "relaying" information from a genuine card.
Using this technique, a chip and Pin terminal in a remote location could be made to accept a counterfeit card.
During a test described on the duo's Light Blue Touchpaper website, a fraudster sets up a fake terminal in a busy shop or restaurant.
When a genuine customer inserts their card into this terminal, the fraudster's accomplice inserts their counterfeit card into the merchant's terminal in another shop.
The fake terminal reads details from the genuine card, and relays them to the counterfeit card so that it will be accepted.
The Pin is recorded by the fake terminal and sent to the accomplice for them to enter, at which point they can walk off with the goods.
The researchers claimed that foul play would only be detected when the victim receives their statement.
"There will be nothing unusual about this transaction from the bank's perspective as it will seem as if the real card was used, with a chip and the correct Pin," the researchers said.
"It should also work equally well via a mobile phone to the other side of the world."
Drimer and Murdoch conceded that it is unlikely that criminals are using techniques such as this, as there are less sophisticated attacks to which chip and Pin remains vulnerable.
However, the researchers warned that, as security is improved, the relay attack may become a significant type of fraud.
Do you agree?
Not a Supprise
I have personally complained about Chip and pin since it was first introduced.
It is probably the worst security measure ever developed.
When you use your PIN number, it used to be only at a hole in the wall that could be 100% covered while you entered it. Now you are expected to enter it sometimes with the staff staring directly at you.
The signature system worked well, if the retailers followed the rules.
With chip and pin it is easy to get someones pin code, and instead of making highstreet purcahses, like they used to have to do, they can actually goto a cash machine and withdraw CASH, that is then un tracable... they could even walk into the bank deposit it, pay tax on it and say they are self employed and thats what they earned that day from what ever they do!
So we have gone from system where if your card was stolen, people would have to buy products that where traceable (serial numbers etc) to a system where they could actually take the cash and make a business out of it, that appears legal!
Chip and Pin should be banned, and the European measure of requiring ID for purcases over x amount should be braught in.
Posted by Matthew Little, 09 Feb 2007