Chip and PIN unsecure shock (actually it isnae a shock at all)

[nss1888]

Well after being one of the folk who got very pi$$ed off when this "system" was implemented, it's turns out that what I knew all along is, in fact, correct....

Chip and PIN is a usless waste of time...

You hear: It's secure, it;s uncracakable..

What a big pile of sh1te...

Full story HERE

or below

Quote:

Paper clip attack skewers Chip & PIN
Tapping up

Published Wednesday 27th February 2008 17:05 GMT


UK researchers have uncovered a serious flaw in the Chip and PIN machines that authenticate debit and credit card transactions.

Two of the most popular PIN entry devices (PED) in the UK — the Ingenico i3300 and Dione Xtreme — are vulnerable to a "tapping attack", using nothing more sophisticated than a paper clip, a needle and a small recording device.

This basic kit enabled University of Cambridge Computer Labs researchers to record data exchanged between a card and the device's processor without triggering tamper-proofing mechanisms. "This attack can capture the card’s PIN because UK banks have opted to issue cheaper cards that do not use asymmetric cryptography to encrypt data between the card and PED," they note here.

It gets worse. To ensure backward compatibility, PIN entry devices read data on magnetic strips, as well as on chips on newer credit cards. Hackers tapping into the link between a card and the processing device could get all the data needed to make a cloned card. Add in the corresponding PIN, and fraudsters could withdraw cash at the many ATMs overseas not upgraded to read chips and therefore solely reliant on easily-fakeable magnetic stripes.

Tampered PIN entry devices have already been used for fraud. Last December, £80,000 was stolen from 1,500 people in Leicestershire when crooks cloned their cards using a doctored device in a local petrol station.

The process to determine PIN reader security is substandard, the Cambridge team argues. Evaluation should be more open and defective devices should be refused certification, they say..

The Cambridge Chip and PIN scenarios pose little threat in the real world, according to APACS, the banking association which spearheaded the introduction of Chip and PIN in the UK. "The types of attack on PIN entry devices detailed in this report are difficult to undertake and not currently economically viable for a fraudster to carry out," a spokesman said.

Ross Anderson, a member of the research team and professor of security engineering at Cambridge, said: "The lessons we learned are not limited to banking. Other fields, from voting machines to electronic medical record systems, suffer from the same combination of stupid mistakes, sham evaluations and obstructive authorities. Where the public are forced to rely on the security of a system, we need honest security evaluations that are published and subjected to peer review."

The Cambridge team presents its findings in full in May at the IEEE Symposium on Security and Privacy conference in Oakland, California in May. Anderson's colleagues are Saar Drimer and Steven Murdoch. ®

So, as per usual (wait for this to happen with ID cards if they ever are forced upon us) the the technology used is weak. No encryption in the box between the card reader and the central part of the device...

sigh.... I dispear at the ineptness of thee governmental technical solution finders, or whatever the feck the wanna call themselves, because they, apparently, don't actually know a secure system if it appears in front of them waves a wee flag then bytes them on the baws...

feckin ejits.