How secure is your credit card ?

Saar Drimer, Steven J. Murdoch and Ross Anderson, researchers at the Computer Laboratory, University of Cambridge, have shown that Chip & PIN machines are not as secure as the banking industry claims. Two widely deployed models of PIN Entry Devices (PEDs), the Ingenico i3300 and Dione Xtreme, fail to protect customers' card details and PINs adequately.
...
Criminals are already using techniques similar to these to defraud British customers, with losses in one case alone claimed to be in eight figures. The technical sophistication required to carry out this attack is low, and fraudsters have already shown they have the necessary skills. The tap would not normally be visible to customers, and in the case of the Ingenico PED it could be totally enclosed by the device.
...
The Cambridge attacks call into question the system under which bank terminals are certified. Visa and APACS certified these devices as secure, and the vendors are pushing retailers to buy certified devices. But the evaluators did not find the flaws identified by the Cambridge team. The Protection Profile – the target used by the evaluators – was approved by GCHQ, and yet the Cambridge work has shown it was unrealistic. APACS and Visa claimed the devices were evaluated under the Common Criteria, an international evaluation scheme administered in the UK by GCHQ; yet GCHQ had not heard of the work and now says that the devices were never certified under the Common Criteria.

Visa is one of the big players here and to date they have refused to acknowledge this claim, even though proven. Basically the PED (pin entry devices) is breached so as to provide a means of collecting card user information and pin number. The information is sent CLEAR text via the tap. There are means of course to encrypt the data at this level however due to increased costs the card distributers have been reuluctant. Visa has essentially thumbed their nose using this simple approach as outlined in the video below. Corrupt merchants could very easily collect card holder information and remove funds. This is a different approach from past incidents involving ATM skimmers (fake front card access terminals) and has proven very lucrative for the criminal underworld.

src www.cl.cam.ac.uk...

Whitepaper details www.cl.cam.ac.uk...

Video

Google Video Link

brill


[edit on 2-3-2008 by brill]

reply to post by brill


i hate to say it...but maybe this is where the goverment has to step in and come down hard with regulations, back by severe penelties. these corporations are not going to spend alot more money protecting you, if they can get away with it. and if you don't think that will be the case?...i got one word for you ...CHINA...

Originally posted by jimmyx
reply to post by brill

 

i hate to say it...but maybe this is where the goverment has to step in and come down hard with regulations, back by severe penelties. these corporations are not going to spend alot more money protecting you, if they can get away with it. and if you don't think that will be the case?...i got one word for you ...CHINA...

Agreed there should be more stringent regulations in place. However in my view so long as the card issuer is prepared to "fix" the problem no loss for me, money wise, when this happens.

brill