http://www.computing.co.uk/computing/news/2210549/chip-pin-under-attack 

By Angelica Mari
Computing
27 Feb 2008

The security of Chip-and-PIN-equipped ATMs is being questioned following 
a demonstration at Cambridge University that the devices can be cracked.

Two widely deployed models of PIN Entry Devices (PEDs) fail to protect 
customers' card details and PINs adequately, according to the 
researchers.

By attaching a recording device to the PED, criminals can record account 
details and use the information along with counterfeit cards.

"We have successfully demonstrated this attack, on a real terminal 
borrowed from a merchant," Cambridge researcher Steven Murdoch told 
Computing.

"At first, we thought this would be a straightforward study, but a 
number of issues have come up, such as inefficient certification 
procedures," he said.

Visa and UK trade payments association Apacs certified the devices 
currently in use as secure and evaluators did not find the flaws 
identified by the Cambridge team.

The credit card company and the trade body claimed the devices were 
evaluated under the Common Criteria, an international evaluation scheme 
administered in the UK by the Government Communications Headquarters 
(GCHQ).

But GCHQ was unaware of the work and now says that the devices were 
never certified under the Common Criteria, said Murdoch.

And the problem is not limited to the banking industry, said Cambridge 
professor of Security Engineering Ross Anderson.

"Other fields, from as voting machines to electronic medical record 
systems, suffer from the same combination of stupid mistakes, sham 
evaluations and obstructive authorities," he said.

"Where the public are forced to rely on the security of a system, we 
need honest security evaluations that are published and subjected to 
peer review."


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn