A group of researchers at the University of Cambridge has discovered a flaw ridiculously easy to use management system "chip and pin" of transactions credit card terminals in stores.
According to Ross Anderson of Cambridge University Computer Laboratory, it is "one of the largest ever discovered flaws in the payment system ... a system used by hundreds of millions of people, tens of thousands of banks and millions of points of sale " .
The flaw allows the criminal to use a stolen credit card without knowing the PIN. The method, which were not disclosed all the details for obvious reasons, seems to be a man in the middle: the stolen card is inserted into a portable music player connected to a laptop which runs on a custom program written by researchers at Cambridge. Everything is hidden in a small backpack, which comes from a cable, which is concealed in the sleeve by passing the executioner. The cable connects to a fake credit card, that is what is stuck in the terminal of the store instead of the real one.
The transaction is in the normal way, being careful not to point out the cable protruding from the card (not hard), but when the PIN request the criminal is free to enter whatever you like, even "0000" , because the software and the fake card to the terminal are believed to have been entered correct code. The acknowledgment shall include a statement that the transaction has been verified using a PIN.
program BBC Newsnight made a video in which show this trick to work, of course under controlled conditions and with all the necessary permits. It worked with two credit cards and two debit of four British banks. The institutions surveyed by the BBC, pointed out that this is a problem that affects the entire sector and not the fault of a single operator and they say seems to understand that they are already working on a solution.
Now it remains unclear whether the problem also extends to non-UK credit cards. Given that foreign credit cards also work in the UK, it seems highly likely. A possible remedy is to have the terminal to read the cards so that the wrongdoer can not conceal the cable covering it with his sleeve sweater or jacket.
According to Ross Anderson of Cambridge University Computer Laboratory, it is "one of the largest ever discovered flaws in the payment system ... a system used by hundreds of millions of people, tens of thousands of banks and millions of points of sale " .
The flaw allows the criminal to use a stolen credit card without knowing the PIN. The method, which were not disclosed all the details for obvious reasons, seems to be a man in the middle: the stolen card is inserted into a portable music player connected to a laptop which runs on a custom program written by researchers at Cambridge. Everything is hidden in a small backpack, which comes from a cable, which is concealed in the sleeve by passing the executioner. The cable connects to a fake credit card, that is what is stuck in the terminal of the store instead of the real one.
The transaction is in the normal way, being careful not to point out the cable protruding from the card (not hard), but when the PIN request the criminal is free to enter whatever you like, even "0000" , because the software and the fake card to the terminal are believed to have been entered correct code. The acknowledgment shall include a statement that the transaction has been verified using a PIN.
program BBC Newsnight made a video in which show this trick to work, of course under controlled conditions and with all the necessary permits. It worked with two credit cards and two debit of four British banks. The institutions surveyed by the BBC, pointed out that this is a problem that affects the entire sector and not the fault of a single operator and they say seems to understand that they are already working on a solution.
Now it remains unclear whether the problem also extends to non-UK credit cards. Given that foreign credit cards also work in the UK, it seems highly likely. A possible remedy is to have the terminal to read the cards so that the wrongdoer can not conceal the cable covering it with his sleeve sweater or jacket.
0 comments:
Post a Comment