Skip to main content

Chip and Pin defeated by Paper clip trick

After news from Princeton University that encryption could be broken thanks to a glacial blast of liquid nitrogen, another group of researchers, this time from the University of Cambridge, found out how to circumvent (opens in new tab) Chip and Pin protection.

Chip and Pin (opens in new tab), which was flogged as the next big thing in consumer security since cards were introduced, could well be slightly more insecure than first believed.

Saar Drimer, Steven Murdoch and Ross Anderson, from the Cambridge University Computer Laboratory said that two PIN Entry devices or PED used extensively in the industry do not fare well when protecting card details.

The Ingenico i3300 and Dione Xtreme (opens in new tab) are both vulnerable to a 'tapping attack', according to a widely available technical paper (PDF download here (opens in new tab)), using a few bits and bobs which cost no more than £10.

The operation is as simple as it is ingenious; a minuscule piece of electronics is inserted into the PED device and records all transactions including PIN and account details as they are transmitted between the genuine account holder and the machine.

This whole new Chip and Pin saga reminds us of the story of a French lad called Serge Humpich (opens in new tab), who back in 2000, cracked open the French chip card system but ended up in jail rather than being celebrated.

Details of how the PED were hacked were shown yesterday on BBC 2's Newsnight and Ingenico (opens in new tab), which is behind one of the PEDs says that the hacking requires specialist knowledge; something we're sure criminals do not lack.

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website building and web hosting when DHTML and frames were en vogue and started writing about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium. Following an eight-year stint at ITProPortal.com where he discovered the joys of global tech-fests, Désiré now heads up TechRadar Pro. Previously he was a freelance technology journalist at Incisive Media, Breakthrough Publishing and Vnunet, and Business Magazine. He also launched and hosted the first Tech Radio Show on Radio Plus.