Chip and PIN could increase violent theft
Posted on 2 Mar 2009 at 12:00
Cambridge University's Computer Laboratory has claimed that card readers used for online banking are insecure and could lead to an increase in violent attacks. A research paper by the laboratory exposes weaknesses in the Chip Authentication Programme (CAP), which leaves consumers open to fraud and, more scarily, a higher risk of physical attack.
The threat of violence comes from the way that criminals can use the handheld CAP card readers that NatWest and Barclays provide with their online banking services. In normal use a user puts their bank card into the reader, types their PIN in and receives a one-time code that has to be entered into the online banking website. However, the screen displays a message when the wrong PIN is entered.
Armed with this information a mugger could march a victim to a secluded area, physically assault them to get their PIN, and verify it on the spot with a handheld reader. Being able to get verification in this way reduces the risk of the mugger being exposed to security cameras, such as those used around cash machines. This technique will only work with CAP-enabled bank cards, but lots of banks are beginning to issue them, even those that don't currently supply CAP readers.
"The two banks that have flooded the UK with CAP readers have thereby placed not only their own customers in harm's way, but have also endangered the customers of other banks who have enabled their debit cards for CAP," said the research paper. "It remains to be seen whether customers will be able to demand cards that are not CAP-enabled and thus do not put them at needless physical risk."
A further risk comes from the fact that the banks tell their customers to carry around their CAP readers. With repeated use, the keys used in entering the PIN become worn down. An intelligent thief could examine a victim's reader and work out which numbers make up the PIN and then start guessing by using the reader as verification.
"If the PIN has 4 distinct digits this leaves 24 different orderings, this increases the chance of an attacker guessing the correct PIN in three attempts from 1 in 3333 to 1 in 8," said the paper. "If a customer has multiple cards with the same PIN, the attacker has even better odds."
The paper also highlights several other flaws in CAP, including the ability for criminals to use modified readers to capture one-time codes and use these within a short period of time to perform fraudulent transactions.
Author: David Ludlow
Find a review
advertisement
Mass Effect 2
Category: SoftwareRating:
Price: £20
Corel PaintShop Photo Pro X3
Category: SoftwareRating:
Price: £66
BioShock 2
Category: SoftwareRating:
Price: £20
Sage Act! 2010
Category: SoftwareRating:
Price: £213
Divinity II: Ego Draconis
Category: SoftwareRating:
Price: £25
- Malware found on new Vodafone smartphone
- Microsoft shows how a game can be played on Xbox or PC and continued on a Windows Phone 7 Series handset
- China says it's willing to prosecute Google hackers
- Monkey Island 2 special edition rumoured to be in development
- Google's latest acquisition targets Microsoft's most profitable business
- Epic Fail: The full extent of Steam's maintenance mess
- Steam server update kicks out gamers and takes service offline
- Microsoft issues security advisory over IE remote code execution vulnerability
- Microsoft follows browser ballot with IE8 'porn mode' TV ads
- Lara Croft gets a street named after her
advertisement
Compare 30+ mobile broadband deals
Powered by 
Printed from www.expertreviews.co.uk
Social Bookmark this article: What is this?