Chip and PIN hack attack demoed

Two Cambridge researchers have devised a relay attack with a hacked chip and PIN terminal that could enable attackers to bypass bank card security measures.

Saar Drimer and Steven Murdoch, members of the Cambridge University Computer Laboratory, have demonstrated a hack that could compromise a supposedly tamper-proof chip and PIN terminal by relaying card information between a fake card and a genuine one.

In the prototype attack demonstrated by Drimer and Murdoch, a customer attempts to pay a restaurant bill by keying their PIN into a chip and PIN terminal that looks real but has actually been tampered with.

Instead of connecting to the customer's bank, the terminal connects to a laptop elsewhere in the restaurant and relays the card information to it. A second laptop -which is linked by a GSM connection (or, potentially, wi-fi) to the first - is carried by an accomplice who is waiting in a jewellery shop across town. This laptop, which is also wired up to a modified bank card, receives the data relayed from the legitimate card in the restaurant.

In the prototype system built by the Cambridge pair, the chip has been removed from the modified card and the card is connected to a laptop concealed in a rucksack - via wires running up the sleeve of the scammer. Such a set-up could arouse suspicion if detected but the researchers believe it is possible to make the card more difficult to detect by using an RFID chip which could communicate wirelessly with the laptop.

Once the restaurant customer has entered their PIN, the criminal in the jewellery shop puts the fake card in the shop's terminal. All transactions from the jeweller's terminal are relayed via the fake card, the two laptops and the fake terminal to the legitimate card.

This links the jeweller's terminal to the victim's bank. As the criminals control the terminal in the restaurant, they can make it display that the victim will pay £20, when in reality he or she is being charged £2,000 at the jeweller's for a diamond ring.

During this relay attack the criminals don't need to hack into any systems or run any decryption, as data is simply being relayed from one terminal to another.

The researchers were unwilling to reveal too much of the technology behind the attack, as they don't want their methods falling into the wrong hands. Nevertheless, they told silicon.com sister site ZDNet UK a Field Programmable Gate Array - a semiconductor device containing programmable logic components and programmable interconnects - was used in the fake card.

Drimer said: "The restaurant patron has got their meal for free, as the £20 has never been charged. But they will have been charged £2,000 at the jeweller's."

He claimed the fraud would be difficult for police to trace, as the victim might only notice once they received a bank statement. They would need to remember where they were when the fraud occurred, as the transaction would show from the jeweller's, not the restaurant.

He added: "A criminal could have a fast turnaround from this type of attack - most likely it would not be detected."

The researchers' goal was to prove that chip and PIN systems are not infallible. "Chip and PIN currently does not defend against this attack, despite assertions from the banking community that customers must be liable for frauds in which the PIN was used," they said, in an as-yet-unpublished paper.

They added: "When customers pay with a chip and PIN card, they have no choice but to trust the terminal when it displays the amount of the transaction. The terminal, however, could be replaced with a malicious one, without showing any outward traces."

Tom Espiner writes for ZDNet UK