The University of Cambridge discovered the PIN entry device (PED) vulnerabilities allow an attacker to wiretap a reader and collect enough data from cards and the PIN pad to create counterfeit cards.
For those of you unfamiliar with the UK's debit and credit setup, I'll explain. Let's say I go to a restaurant and purchase a dinner for two costing a certain amount of money. The waitress brings out a portable card reader in which instead scanning, she can take your debit or credit card from a UK bank and place the card which is embedded with a chip inside the reader. Then the transaction proceeds like it does everywhere else. The readers then transmit the card information through a wireless connection. Catch where I'm going with this? If not, continue reading and you'll get it eventually.
According to SecurityFocus, the researchers stated the vulnerabilities in a paper to be published at the IEEE Symposium on Security and Privacy in May.
"The vulnerabilities we found were caused by a series of design errors by the manufacturers," Saar Drimer, a researcher at UC's Computer Laboratory and an author of the paper, said in a statement. "They can be exploited because Britain's banks set up the Chip & PIN in an insecure way ... A villain who taps this gets all the information he needs to make a fake card, and to use it."This is not just UK-only vulnerability. There are all sort of vulnerabilities with card readers all over the world. If the card information isn't encrypted on the merchant, purchaser, and bank ends, then there will always be a vulnerability.
