ChipAndPinTechnology
Latest
Security experts hack payment terminals to steal credit card info, play games
If a payment terminal could be forced into servitude as a crude handheld gaming device, what else could it be made to do? Researchers at the Black Hat conference showed just what mischief a commonly used UK PoS terminal could get up to when they inserted a chip-and-pin card crafted with malicious code. That enabled them to install a racing game and play it, using the machine's pin pad and screen. With the same hack, they were able to install a far less whimsical program as well -- a Trojan that could record card numbers and PINs, which could be extracted later by inserting another rogue card. On top of that, criminals could use the same method to fool the terminal into thinking a transaction was bank-approved, allowing them to walk out of a store with goods they hadn't paid for. Finally, the security gurus took a device popular in the US, and used non-encrypted ethernet communication between the terminal and other peripherals to hack into the payment device and take root control. Makes you want to put those credit cards (and NFC devices) away and stick to cash -- at least you can see who's robbing you blind. [Original image credit: Shutterstock]
Cambridge University finds credit card security flaw, uses the money for beer pong supplies (video)
Oh, those crazy kids at Cambridge University -- when not doing keg stands or playing Hacky Sack in the quad they're hard at work proving the vulnerability of the EMV verification used in credit and debit cards (or as it's called across the pond, Chip and PIN). We won't go into too much detail (because we don't have much detail) but a flaw has been discovered that allows one to convince the terminal that a card's PIN has been entered -- and you know what that means: free money! All you really need to pull it off is a fake smart card connected to a card reader containing the stolen card and some fancy software. (Place the contraption inside a hat box or bowling ball bag if you want to be slick.) What could be simpler than that? "We think this is one of the biggest flaws that we've uncovered - that has ever been uncovered - against payment systems, and I've been in this business for 25 years," said Professor Ross Anderson from the school's Computer Laboratory. Sure, this is a proof-of-concept thing, and not yet a clear and present danger, but we have faith that the hackers will see this one through. Maybe we weren't crazy to bury all that gold in the backyard after all! British TV news (with the appropriate dramatic music) after the break.
