Shostack + Friends Blog Archive

 

Chip and Pin Point-of-Sale Interceptor

pin-wizard.jpg
Mike Bond at Cambridge University has a page “Chip and PIN (EMV) Point-of-Sale Terminal Interceptor,” [link to http://www.cl.cam.ac.uk/~mkb23/interceptor/ no longer works] in which he documents:

Our interceptor is a prototype device which sits between a Point-of-Sale (POS) terminal in a shop and the Chip and PIN card carried by a customer. It listens passively to the electrical signals – “the conversation” – between the chip card and the terminal, and from this can retrieve and store the customer’s account number. In the case of the cheaper “Static Data Authentication” (SDA) Chip and PIN cards, which are used by most UK banks, it can also store the customer’s entered PIN, when it is sent from the terminal to the card, just after the customer types it in.

Now, admittedly, this isn’t the system in use in the USA. The system in the USA, with magnetic strip and PIN, that’s much easier to break.