Game over for Chip and PIN?

formatting link
332 Well, no.

Researchers at the University of Cambridge have managed to hack a so > called tamper resistant Chip and PIN terminal and get it to play > Tetris.

Tamper-resistant, yes. Not tamper-proof. The lengths they had to go to (below) also shows just how resistant it was.

Security researchers Steven Murdoch and Saar Drimer managed to get a > version of Tetris working on the terminal by replacing most of the > unit's internal electronics. But the hacking illustrates how > fraudsters may be able to physically modify terminals.

So what? I could even build a brand new one from scratch, just as I could probably build something with more than a passing resemblance to an ATM.

In a Web blog written by the researchers, Drimer says even a perfect > tamper resistant terminal will only ensure that the device cannot > communicate with a bank once opened.

No. It will ensure that any secret data (such as any private keys) is erased.

It does not prevent anyone from replacing a terminal's hardware and > presenting it to customers as legitimate in order to collect card > numbers and PINs.

But nobody ever claimed that was the purpose. The card chips themselves haven't been cracked, and that's the main point here.

Reply to
Alex
Loading thread data ...

At 17:46:57 on 05/01/2007, James delighted uk.finance by announcing:

Yes. Same thing applies. The problem is that genuine points of use haven't been upgraded, whether they be ATMs or terminals.

Reply to
Alex

Alex writes

I am beginning to question the motives of those who are constantly knocking C & P... 8-(

Reply to
Gordon H

Wow. They got hold of a carcass, & stuffed a game-boy inside. All in the comfort of their own bedrooms. Ooh! Those fiendishly minded young scoundrels.

Doesn't say how they would of got it into an actual supermarket.

& they didn't even do that correctly - everyone know that Tettris goes down!

Dave F.

Alex wrote:

Reply to
Dave F.

formatting link
"Card security expert Dr Mike Bond revealed that fraudsters are able to manufacture devices that can be attached to chip and Pin till keypads for less than £60 using parts available on the Internet."

Ah the Daily Mail at it's usual high standards. Scaring middle England once again with it's tales of evil wrong doing that's "available on the internet".

Dave F.

Reply to
Dave F.

The motives are, I suspect, that people are pissed off that people talk about how secure C&P is (and it is, considered entirely independently, which is pointless) , when the 'ecosystem' of which C&P is a part, patently is not secure, and C&P adds little overall security to the overall ecosystem (for want of a better word). Its like someone constantly trumpeting about their new ultra secure front door lock which everyone must now use, but everyone leaves their back doors open by design.

Reply to
Tumbleweed

maybe the same way the guys at the Shell garages did it, they put them on the counter?

Reply to
Tumbleweed

Let's try 2 other broadsheets:

Todays FT (Recycled by MSNBC)

formatting link
The Times:

formatting link

Reply to
James

This is already happened in the US. Actually you don't need to build an ATM, just buy one.

Reply to
whitely525

People are just worried that if it happens to them it will be harder to prove they are the victim, not the fraudster. This applies even if the chances are lower due to C&P.

I noticed that some car rental agreements have my card imprint, DOB, address, place of birth, and of course the 3 digit security # that is on the back of the CC.

I wonder how these vouchers are disposed of...?

Reply to
whitely525

At 20:23:41 on 06/01/2007, snipped-for-privacy@yahoo.co.uk delighted uk.finance by announcing:

That will not allow you to capture PINs. You'd need to modify it, or build your own.

Reply to
Alex

My understanding is that nearly all the recent fraud is still based on copying the magnetic strip data rather than anything clever with the C&P. Most of the fraudulent withdrawls are in overseas locations still relying on signatures making it easy to build a cloned UK card for cash withdrawls.

Why I can't have two credits card, one with no mag strip for UK or EU use and another one with a magnetic strip for US and RoW use I don't know. This would at least stop (until the next scam arrives) the UK based fraudesters cloning magnetic strips as there wouldn't be one to copy. The risk of using the other card whilst overseas remains but it would cut down the risk considerably.

Kevin

Reply to
KOS

My view exactly. And according to a recent FT article, the banks are getting harder on victims of fraud, suggesting negligence where they can.

Tiddy Ogg.

formatting link

Reply to
Tiddy Ogg

At 21:06:29 on 07/01/2007, KOS delighted uk.finance by announcing:

Correct.

Correct.

Because the mag strip is required for technical fallback.

Reply to
Alex

wrote

Then they have no reason to worry...

*They* don't need to prove that they are a victim; rather, the *bank* would need to prove that the cardholder was involved in the fraud!
Reply to
Tim

Why weren't two levels of `technical fallback' required in pre-C&P days?

Reply to
Sam Nelson

At 13:27:36 on 08/01/2007, Sam Nelson delighted uk.finance by announcing:

I don't understand the question. What two levels?

Reply to
Alex

I'm assuming we fall back to the stripe if the chip doesn't work. Was that not what you meant? But back when we only had the stripe, there wasn't anything to fall back to, but that apparently wasn't a problem.

Reply to
Sam Nelson

At 14:12:45 on 08/01/2007, Sam Nelson delighted uk.finance by announcing:

Yes there was. There's the embossing on the card, except for those cards that are electronic use only. But then that's largely irrelevant as far as EMV is concerned.

Why would it have been a problem anyway? If there's no chip or chip reader, you don't need to have planned a fallback position for them.

Reply to
Alex

BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.