Credit card vulnerability still alive and well - AusCERT 2011

Cambridge University professor, Ross Anderson.

Global banks are yet to solve a vulnerability in the Europay, Mastercard and Visa (EMV) integrated circuit standard first rolled out in 2003, allowing hackers to place Trojan devices on point of sale hardware to harvest user and credit card information.

EMV is the global standard used by card providers for integrated circuit (IC) debit and credit cards used in point of sale terminals and automatic teller machines (ATMs).

However, Cambridge University Professor, Ross Anderson, said he had found a vulnerability in 2007 with the PIN entry devices (PEDs) used as part of the standard. Anderson, along with two students, conducted reverse engineering on the devices in 2007.

“We found that if you went into the back of the product and drilled in, you could drop a paper clip on to the wire which is the serial port between the pin pad and the smart card,” he said.

With this paper clip, he said the device could become a Trojan with enough data harvested from every transaction to make a mag stripe version of a card and use it at any ATM.

“We told the banks in October 2007 and they said `it’s not a problem because the criminals aren’t as clever as you Cambridge University chaps’. But this wasn’t true because bad guys were already doing it.”

In July 2008, cyber criminals gained access to a warehouse in Dubai where the devices were stored and managed to store a Trojan device under the keyboard. This device was used to harvest information from the users' cards. “It was possible for people to have a transaction done in a bank and have their credentials stolen,” he said. “The bank would than sue the user for negilence because it was not their fault.”

“In 2003 we were the pioneers [of EMV] and were told it was going to solve problems,” he said. “From the bank’s point of view it was a great rollout because the deal with EMV was that if there was a dispute [with a payment], then the user was liable.”

According to Anderson, rather than solving the problem banks hoped fraud would decrease, rather than increase as happened in reality.

A worrying factor, Anderson said, was the continuing vulnerabilties with EMV chip and pin systems, coupled with the fact that banks, at least in the UK, do not share information about phishing and cybercriminal attacks.

“The banks need an incentive to get this right but they take a short term and country rather than global view of it,” he said.

“Banks could do better if they shared information on phishing,” said Anderson. “If bankers were rational than they wouldn’t have a problem.”

The lack of global and local laws mandating companies disclose phishing or hacking attempts against internal systems has continued to be a vocal point for many security experts.

Hamish Barwick travelled to AusCERT 2011 as a guest of AusCERT

Got a security tip-off? Contact Hamish Barwick at hamish_barwick at idg.com.au

Follow Hamish Barwick on Twitter: @HamishBarwick