Chip and pin vulnerable to relay attack

By

Tetris hackers strike again.

Chip and pin vulnerable to relay attack
The Cambridge University computer scientists who hacked a chip and Pin terminal to play Tetris are back with a new exploit.

Saar Drimer and Steven Murdoch claimed that the system is vulnerable to a new kind of fraud which involves "relaying" information from a genuine card.

Using this technique, a chip and Pin terminal in a remote location could be made to accept a counterfeit card.

During a test described on the duo's Light Blue Touchpaper website, a fraudster sets up a fake terminal in a busy shop or restaurant.

When a genuine customer inserts their card into this terminal, the fraudster's accomplice inserts their counterfeit card into the merchant's terminal in another shop.

The fake terminal reads details from the genuine card, and relays them to the counterfeit card so that it will be accepted.

The Pin is recorded by the fake terminal and sent to the accomplice for them to enter, at which point they can walk off with the goods.

The researchers claimed that foul play would only be detected when the victim receives their statement.

"There will be nothing unusual about this transaction from the bank's perspective as it will seem as if the real card was used, with a chip and the correct Pin," the researchers said.

"It should also work equally well via a mobile phone to the other side of the world."

Drimer and Murdoch conceded that it is unlikely that criminals are using techniques such as this, as there are less sophisticated attacks to which chip and Pin remains vulnerable.

However, the researchers warned that, as security is improved, the relay attack may become a significant type of fraud.


Got a news tip for our journalists? Share it with us anonymously here.
Copyright ©v3.co.uk
Tags:

Most Read Articles

CBA using facial recognition logins to verify disputed payments

CBA using facial recognition logins to verify disputed payments

Researchers demo AI-crippling GPUHammer attack

Researchers demo AI-crippling GPUHammer attack

Qantas obtains court order to prevent third-party access to stolen data

Qantas obtains court order to prevent third-party access to stolen data

Google Gemini for Workspace vulnerable to prompt injection attacks

Google Gemini for Workspace vulnerable to prompt injection attacks

Log In

  |  Forgot your password?