Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Critical security flaw discovered in Chip and PIN credit card authorizations

Add to     Digg this story Digg this

February 14, 2010

Internet security experts from around the globe have demonstrated a critical and systemic security flaw in Chip and PIN credit card authorization systems which greatly undermines trust in the technology as a means to verify and authenticate bonafide online retail purchases.

One of the most prominent security groups to discover the security hole was Cambridge University researchers. They succeeded in demontrating how it's relatively easy to trick any credit card into thinking it is doing a chip-and-signature transaction while the terminal still thinks it is authorized by chip-and-PIN.

Click here to order the best dedicated server and at a great price.

The security hole then creates a means to make transactions that are "Verified by PIN" using a stolen but uncancelled credit card without even knowing the PIN number.

Criminals would then insert a wedge between the stolen card and terminal, tricking the terminal into believing that the PIN was correctly verified.

It isn't surprising that the attack works when a terminal is offline but it works even when the terminal is connected and that's what is really troubling about this latest discovery. Credit card victims of fraud who complain of phantom transactions are then denied refunds in cases where a purchase is PIN verified.

These attacks fully undermine the whole faith process in the banking industry’s claim that its systems are secure when in fact they are not.

The research and analysis was performed by Steven Murdoch, Saar Drimer, Ross Anderson and Mike Bond, all senior researchers at the Computer Laboratory, University of Cambridge, and is due to be presented at the IEEE Symposium on Security and Privacy conference in Oakland in May.

Overall, researchers from the University of Cambridge demonstrated the attack in an episode of the BBC Newsnight program last Thursday night.

Saar Drimer warns "the technical sophistication for carrying out this attack is low, and the compact equipment will not be noticed by shop staff. A single criminal can develop and industrialize a kit to be used by others who do not need to understand how the attack works. This would in fact create a secondary market for such illegal terminals.”

The "man-in-middle" attack outlined by the Cambridge researchers doesn’t work at ATMs but it can work regardless of the amount spent in retail transactions, and on most PoS (point of sale) terminals. The security shortcomings apply to all credit cards based on EMV (Eurocard Mastercard Visa), the most widely deployed standard for smartcard payments, which is used by millions of credit and debit cards, mostly in Europe.

"As a security research group, we’re terribly worried that if something isn’t done to fix this problem rapidly, and the many others we’ve found in EMV, other regions adopting it, like in the U.S., are going to make the same great mistakes over and over and that means consumers will be even more vulnerable than they are now."

"In a nutshell, there is a huge hole in the specifications which together create the 'Chip and PIN' system. Structurally, the EMV specification stack is terribly broken, and needs to be addressed and repaired fast," the researchers conclude.

"We don’t want people keeping their money in shoe boxes, but we do want the problems fixed and fixed rapidly. That means getting decent governance for the system that involves all the stakeholders: banks, regulators, merchants and, lastly but not least, the consumers."

Add to     Digg this story Digg this

Source: Cambridge University.

Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like. Read our section on how your company can participate in our reciprocal link exchange program and increase your rankings in the major search engines such as
Google and all the others.

| Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact |
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

Install your server in Sun Hosting's modern colocation center in Montreal. Get all the details by clicking here.

Get your Linux or Windows dedicated server today.

The industry's best and most accurate tool to find out EXACTLY what your CORRECT keywords are. Click here to learn more.