Archive for August, 2008

There’re a number of attacks around modifying the EFTPOS smart card terminals. This is especially a problem when the same PIN can be used for the CHIP n PIN entry as is used for the magnetic strip. I.e. take a copy of the magnetic strip, and even if the user then uses CHIP n PIN you can send those details (magnetic strip + pin) overseas and make withdrawals from ATMs that don’t use a CHIP reader.

See a detailed story on the issue here, “Criminals hijack terminals to swipe Chip-and-PIN data”

Most of the problems come down to the one simple problem; the user does not have the technical skills to determine whether they should trust a particular ATM or EFTPOS machine.

One simple answer to all this problem of trusted hardware may be to have smart cards with PIN pads built in and a small display. 

  1. You would insert your card in the ATM/EFTPOS machine.
  2. Choose the transaction (I.e. withdrawal $100, or pay $12.34 for some goods).
  3. Remove the card from the ATM/EFTPOS terminal.
  4. The card would then have a small display showing how much you were authorising and potentially who you were paying as well.
  5. You would then enter your PIN on keys / touch sensor built into the smart card.
  6. Re-insert your card in the ATM/EFTPOS terminal to complete the transaction.

I don’t think the technology is too much of a problem. Building a display and pin-pad into a card that remains as thin as current ones may be a challenge, though not an insurmountable one I suspect.

But then again, why not just use a trusted computing device with short range communications to authorise payments. i.e. Swipe your phone past the eftpos machine, transactions under $100 automatically authorised, up to $300 user clicks OK on phone to authorise, phone requires a pin number to authorise anything more.


Read Full Post »