Researchers from Cambridge University have succeeded in capturing both PIN numbers and card details from supposedly tamper-proof PIN terminals.
Saar Drimer and Steven Murdoch, overseen by Professor Ross Anderson, managed to hack two widely used PIN terminals: the Ingenico i3300 and the Dione Xtreme.
In a research paper seen by ZDNet.co.uk, the researchers outline the hack. Both terminals have tamper-proof mechanisms inside, but both can be circumvented by tapping the data line of the PIN Entry Device/smartcard interface. The data exchanged on this line is not encrypted.
The Ingenico i3300 has a tamper-response switch inside which is tripped if the terminal is forced open, and also has its innards wrapped in a tamper-proof mesh, to detect drilling. However, there is a user-accessible compartment to insert SIM cards that is not intended to be tamper-proof. The PCB has various holes that an attacker can use to insert a conductor into the serial data line, to tap both the PIN and card details. The researchers used a paper clip as the conductor, linked to the data line.
The Dione Xtreme also has a tamper-response switch, but no mechanisms to detect drilling from the rear. The main keypad and processor are "potted together", making it more difficult to incept the signal passing between them. However, by drilling a 0.8mm hole from the rear, the researchers inserted a 4cm needle into a flat ribbon connector socket and tapped the data.
In both cases, the conductors were connected to a thin wire connected to a logic board containing a field programmable gate array (FPGA), which translated the data and sent it to a laptop.
Both devices were Visa-certified to be secure, which requires that defeating the tamper detection would cost over $25,000 (£12,500) per-PIN entry device; or that inserting a PIN-stealing bug would be detected, or take more than 10 hours.
Neither terminal meets any of these requirements, said the researcher paper.
"What should have required $25,000 needed just a bent paperclip, a needle, a short length of wire and some creative thinking; attaching them to the data line takes minutes with some practice," said the paper.
"What this shows is that PIN entry devices in the UK are very insecure," said Professor Anderson about the research. "What's more, the [device] certification process is completely defective. Certified devices are easy to breach. That's bad news for retailers, and bad news for customers."
Drimer added that this hack showed the complete process from design to implementation of these devices was broken.
"These devices should not have been certified because they clearly fail the criteria under which they were evaluated," Drimer told ZDNet.co.uk. "Something went wrong in the design of these devices, the certification process, and the EMV implementation choices made by the banks."
Ingenico admitted that the hack was successful, but said that its device "still remained one of the safest on the market".
A spokesman for Ingenico Northern Europe said: "Retailers and card users should rest assured that the devices, from various suppliers, identified by the Cambridge University scientists, remain among the most secure terminals on the market and have contributed to card fraud at UK retailers falling by up to 47 percent year-on-year since the introduction of chip and PIN. The banking industry has already expressed its confidence in the security capabilities of all chip and PIN payment devices being used in the UK today.
"The method identified by the Cambridge University paper requires specialist knowledge and has inherent technical difficulties. This method is therefore not reproducible on a large scale, nor does it take into account the fraud monitoring used throughout the industry."
"Security remains a top priority for Ingenico and we invest around €40m each year in research and development to ensure our customers remain at the forefront of the fight against fraud."
"This investment is highlighted in the latest generation of our terminals which are approved under the latest security standards. These meet the higher security required by industry mandates introduced on 1 January, 2008 and are designed to stay one step ahead of the evolving security threat."
Dione, which is manufactured by Verifone, had not responded to a request for comment at the time of writing.