By Angelica Mari
27 Feb 2008
The security of Chip-and-PIN-equipped ATMs is being questioned following
a demonstration at Cambridge University that the devices can be cracked.
Two widely deployed models of PIN Entry Devices (PEDs) fail to protect
customers' card details and PINs adequately, according to the
By attaching a recording device to the PED, criminals can record account
details and use the information along with counterfeit cards.
"We have successfully demonstrated this attack, on a real terminal
borrowed from a merchant," Cambridge researcher Steven Murdoch told
"At first, we thought this would be a straightforward study, but a
number of issues have come up, such as inefficient certification
procedures," he said.
Visa and UK trade payments association Apacs certified the devices
currently in use as secure and evaluators did not find the flaws
identified by the Cambridge team.
The credit card company and the trade body claimed the devices were
evaluated under the Common Criteria, an international evaluation scheme
administered in the UK by the Government Communications Headquarters
But GCHQ was unaware of the work and now says that the devices were
never certified under the Common Criteria, said Murdoch.
And the problem is not limited to the banking industry, said Cambridge
professor of Security Engineering Ross Anderson.
"Other fields, from as voting machines to electronic medical record
systems, suffer from the same combination of stupid mistakes, sham
evaluations and obstructive authorities," he said.
"Where the public are forced to rely on the security of a system, we
need honest security evaluations that are published and subjected to
Subscribe to InfoSec News