CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide

Chip & PIN terminals too easy to hack, says security expert

A security company is warning that PIN terminals across the country are dangerously open to thieves wanting to steal your card details.

Enter your PIN... at your own risk. A security company is warning that card readers across the country are dangerously vulnerable to thieves looking to steal your card details.

British IT security company MWR InfoSecurity warns of the dangers of Chip and PIN payment terminals found in shops, bars, restaurants and anywhere you need to fork over readies.

Probing the security of the number pads we use to pay for things, MWR has found that "efforts are being directed to securing the PIN Pads physically, but the software installed in the terminals remains highly vulnerable" -- to the point that even your phone is more secure than a PIN terminal.

Thieves can hack PIN terminals with a malicious smartcard. A wrong'un in a restaurant could pretend to be making a payment with their bank card, for example, only to slip in a 'Trojan card' that accesses the payment terminal -- leaving malware lurking within the terminal from that point onwards.

When you then come to pay for your delicious meal, thieves record both your PIN and your PAN (that's your Primary Account Number, the long number on the front of the card) -- and the numbers of everyone else chowing down in the unfortunate eatery.

Once they've hacked the merchant's network, all PINs and other card holder information can be retrieved over Wi-Fi, Bluetooth or just a phone line. The bolder tea-leaf can simply drop by for another snack and swipe the Trojan card again to collect the recorded data.

Not only are PIN pads "open to many forms of attack", hacked pads could even be compromised "to the extent that it would be very difficult to identify if they had been breached".

It's in the interests of a security company to talk up potential problems of course, so it can sell its conclusions to those in the industry. We've contacted Visa, one of the companies behind Chip and PIN, for a comment. 

Chip and PIN was introduced in Britain in 2004, and changed the card payment system to encode your details on a microchip instead of the swipey stripe. The system is more secure than previous payments, but there have still been successful attacks: in 2008, card readers made in China were tampered with before being sent to shops, allowing thieves in Pakistan to steal moneys estimated to be in the tens of millions of pounds

Have you ever been targeted by thieves through your card? How did it happen, and how did your bank react? Tell me your experience in the comments or on our Facebook page.