- About 800million purchases each month are processed by chip and PIN machines
- Criminals can use second-hand devices purchased on eBay to load fake cards with malicious software
Millions of customers’ banking details are at risk after it emerged that card readers used in shops and restaurants can be hacked. Experts have found a security flaw in chip and PIN terminals that allows thieves to download customers’ card details. There are more than one million such readers in the UK according to the UK Cards Association, which processes about 800million purchases each month.
Thousands of terminals must now be reprogrammed. The chip and PIN system replaced the use of signatures to authorise card purchases in 2006, and combines two effective security features: a microchip to ensure the card is not counterfeit, and a personal identification number (PIN) to prove the user’s identity.
However, researchers discovered that criminals can use second-hand devices purchased on eBay to load fake cards with malicious software. Once used in shops, the fakes – made to look like a normal credit or debit card – infect readers, which begin storing the details of all subsequent transactions. The criminal then returns later and uses a second card to download this data, which includes card details and PINs. A spokesman for security firm MWR told Channel 4: ‘In our demonstration we just got the card number and PIN, but a real criminal would probably reprogramme the reader to request that the card is swiped. This would give magnetic strip data which could be used to clone the card.’
VeriFone, which makes most of the terminals used in Britain, said it is working on an update to fix the flaw. A spokesman said: ‘MWR implemented a sophisticated scenario that is technically feasible on some older systems.
‘VeriFone has developed a software update to resolve this issue in deployed systems and has already submitted the code for testing and approval on an expedited basis.’ Account numbers and PINs are sold, often in bulk, on hundreds of so-called ‘carding’ websites, often based in Eastern Europe or China. Anyone with an email address can sign up and receive access to a global network of criminals selling details from victims over the world, contributing to the £308million of card fraud committed in the UK each year.
A Daily Mail investigation found one seller on a Russian website offering British credit cards, with full details of the original owner’s identity, for just £19 each. For £190, they also claimed to be able to offer access to a bank account with a credit limit of £8,000. It recently emerged that 15million Barclays customers using new contactless credit and debit cards could have their details stolen by ‘electronic pickpockets’ who brush past wallets with a mobile phone. The cards, billed as the latest in payment technology, contain a chip so that payment can be made without the need to enter a PIN. However, investigators found criminals could obtain a customer’s name, card number and expiry date by holding a smartphone fitted with simple software over a wallet containing the card.