Hackers can steal your details from chip and PIN machines used in shops and restaurants

  • About 800million purchases each month are  processed by chip and PIN machines
  • Criminals can use second-hand devices  purchased on eBay to load fake cards with malicious software

Millions of customers’ banking details are at  risk after it emerged that card readers used in shops and restaurants can be  hacked. Experts have found a security flaw in chip  and PIN terminals that allows thieves to download customers’ card  details. There are more than one million such readers  in the UK according to the UK Cards Association, which processes about  800million purchases each month.

Thousands of terminals must now be  reprogrammed. The chip and PIN system replaced the use of  signatures to authorise card purchases in 2006, and combines two effective  security features: a microchip to ensure the card is not counterfeit, and a  personal identification number (PIN) to prove the user’s identity.

However, researchers discovered that  criminals can use second-hand devices purchased on eBay to load fake cards with  malicious software. Once used in shops, the fakes – made to look  like a normal credit or debit card – infect readers, which begin storing the  details of all subsequent transactions. The criminal then returns later and uses a  second card to download this data, which includes card details and  PINs. A spokesman for security firm MWR told  Channel 4: ‘In our demonstration we just got the card number and PIN, but a real  criminal would probably reprogramme the reader to request that the card is  swiped. This would give magnetic strip data which could be used to clone the  card.’

VeriFone, which makes most of the terminals  used in Britain, said it is working on an update to fix the flaw. A spokesman said: ‘MWR implemented a  sophisticated scenario that is technically feasible on some older systems.

‘VeriFone has developed a software update to  resolve this issue in deployed systems and has already submitted the code for  testing and approval on an expedited basis.’ Account numbers and PINs are sold, often in  bulk, on hundreds of so-called ‘carding’ websites, often based in Eastern Europe  or China. Anyone with an email address can sign up and  receive access to a global network of criminals selling details from victims  over the world, contributing to the £308million of card fraud committed in the  UK each year.

A Daily Mail investigation found one seller  on a Russian website offering British credit cards, with full details of the  original owner’s identity, for just £19 each. For £190, they also claimed to be  able to offer access to a bank account with a credit limit of £8,000. It recently emerged that 15million Barclays  customers using new contactless credit and debit cards could have their details  stolen by ‘electronic pickpockets’ who brush past wallets with a mobile  phone. The cards, billed as the latest in payment  technology, contain a chip so that payment can be made without the need to enter  a PIN. However, investigators found criminals could  obtain a customer’s name, card number and expiry date by holding a smartphone  fitted with simple software over a wallet containing the card.

Published by: http://www.dailymail.co.uk/news/article-2180849/Hackers-steal-details-chip-PIN-machines-used-shops-restaurants.html

Written by

2 Comments to “Hackers can steal your details from chip and PIN machines used in shops and restaurants”

  1. Minesh Thakkar says:

    I spoke to Verifone and this is what they had to say.

    Hi, this is the statement we received,
    We were advised that the Secura pin pad is safe though.

    At the Black Hat USA 2012 conference on July 25 in Las Vegas, security consultancy MWR InfoSecurity demonstrated purported weaknesses it claims to have found in industry smart card PIN pads and which it previously publicized in media interviews earlier this month.

    VeriFone became aware of these claims at the same time as the initial reports were published and subsequently engaged in dialog with the consultancy to ascertain what they believed to have discovered and what if any impact it might have on VeriFone products.

    Upon reviewing VeriFone’s portfolio we have confirmed that MWR implemented a sophisticated scenario that is technically feasible on some older systems. VeriFone has developed a software update to resolve this issue in deployed systems and has already submitted the code for testing and approval on an expedited basis. We informed MWR of those efforts last week.

    Once the approval process is complete, we will provide the software update to all impacted parties for appropriate implementation.

    VeriFone has a long-standing reputation as the global trusted provider of secure payment systems. As such, we fully explore any potential issues that are brought to our attention to determine any necessary steps and advise our customers accordingly.

  2. Minesh Thakkar says:

    Q&A

    Q: Has there been an actual breach in the field?
    A: No.

    Q: What is VeriFone doing about the issue?
    A: Upon reviewing VeriFone’s portfolio we have confirmed that MWR implemented a sophisticated scenario that is technically feasible on some older systems. VeriFone has developed a software update to resolve this issue in deployed systems and has already submitted the code for testing and approval on an expedited basis. Once this is complete, we will provide the software update to all impacted parties for appropriate implementation.

    Q: Has VeriFone reported this fix to MWR?
    A: Yes. VeriFone informed MWR of this fix prior to their presentation at the Black Hat USA 2012 conference in Las Vegas. We’re disappointed that they’ve decided to continue publicizing this vulnerability knowing there is a solution in place.

    Q: When do you anticipate the software update being available to all impacted parties?
    A: VeriFone has already submitted the software update code for testing and approval on an expedited basis, which we expect to take about 30 days.

    Q: What devices are impacted; how many units are currently in the field?
    A: This smart card attack scenario was developed and executed by MWR on older generation devices. Newer systems, including the VX Evolution platform, do not have the same vulnerability. We can’t provide specific numbers due to differences in implementation and because many are distributed through third parties.

Leave a Reply

You must be logged in to post a comment.