From the Times Online UK:
‘Chip and PIN’ cards which require customers to enter a four-digit code before purchasing goods may not be as safe as previously thought, according to research.
Customers may unwittingly be handing over their card details and pin number when using the new terminals, which have been widely rolled out at supermarkets, service stations and other outlets, a group of computer security academics has claimed.
According to the research, with a relatively simple 10 minute procedure a merchant can program a chip and PIN terminal to capture all the information needed to clone a chip and PIN card, as well as the customer’s PIN number.
The fraudster would then be free to make withdrawals from the customer’s bank account, as well as commit identity fraud, the group said. The researchers, from the Computer Laboratory at the University of Cambridge, said they had no evidence to suggest the problem was widespread, though they were aware of several instances of it happening, including one at a Shell garage in 2006.
They said the vulnerability was caused by manufacturers’ failure to build appropriate encryption technology into the devices, known as PIN-entry devices (PEDs), which meant that information passed between the card and the device unprotected.
[tags]Chip And PIN, PIN Number[/tags]
