Researchers Expose New Credit Card Fraud Risk 219
An anonymous reader writes "Researchers from the University of Cambridge have discovered flaws in the card payment systems used by millions of customers worldwide. Ross Anderson, Saar Drimer, and Steven Murdoch demonstrated how a simple paper clip can be used to capture account numbers and PINs from so-called 'tamper-proof' equipment. In their paper (PDF), they warn how with a little technical skill and off-the-shelf electronics, fraudsters could empty customers' accounts. British television featured a demonstration of the attack on BBC Newsnight."
Re:Is anyone here really surprised? (Score:5, Informative)
This reminds me of a quote (the source eludes me at the moment):
"If it can be engineered by one human, it can be reverse-engineered by another human."
Re:They're looking in the wrong place (Score:5, Informative)
This is a UK/Europe card system issue... (Score:5, Informative)
Re:Another hole in the sieve? (Score:4, Informative)
Re:[Encrypted account and check numbers] (Score:2, Informative)
Re:Tough Interview (Score:3, Informative)
Re:Get rid of the damn things! (Score:5, Informative)
It's like entering your credit card information on a website for a purchase. The connection to the server may be encrypted, but the data sent from your keyboard to your pc is not, and this is the same as where the hack with the card readers/pads is occurring.
Re:Tough Interview (Score:4, Informative)
It is one of the finest pieces of political TV ever.
Re:Get rid of the damn things! (Score:5, Informative)
See http://en.wikipedia.org/wiki/Legal_tender [wikipedia.org].
Re:Get rid of the damn things! (Score:2, Informative)
These damn pinpads have more tamper-detect on them than a chastity belt. You sneeze and it dumps it's keys.
Re:Where's the crypto? (Score:2, Informative)
So, what do you loose if your PIN is compromised? Actually, nothing in a perfect world. That is, a world with only chip cards. The problem is that an overwhelming majority of transactions are being performed on plain old magnetic stripe cards. The amount of infrasturcture already out there prevents an overnight shifting to chip cards, and that is why every card with a chip also has a magnetic stripe.
So if you have a clear PIN and you have the data on the magentic stripe of a card, then it is trivial to reproduce the card and then use it on an ATM with the PIN to withdraw cash.
If you have a secure chip only card, then more than 90% of the world's terminals will not work for you, including just about every terminal in north America.
Re:Tough Interview (Score:3, Informative)
Banks and Security (Score:3, Informative)
Re:Get rid of the damn things! (Score:2, Informative)
From the article:
There is, however, no Federal statute mandating that a private business, a person or an organization must accept currency or coins as for payment for goods and/or services. Private businesses are free to develop their own policies on whether or not to accept cash unless there is a State law which says otherwise.
Oops.
Re:Tough Interview (Score:3, Informative)