daily online news

Computer scientists from the University of Cambridge announced this week that debit- and credit-card readers in the U.K. do not encrypt data to the PIN pad, allowing sensitive information to be stolen.

The PIN entry device (PED) vulnerabilities allow an attacker to wiretap a reader and collect enough data from cards and the PIN pad to create counterfeit cards, the researchers stated. The insecurity is due to the way the United Kingdom set up its "Chip & PIN" system and the way reader makers implemented the standard, the researchers stated in a paper to be published at the IEEE Symposium on Security and Privacy in May.

"The vulnerabilities we found were caused by a series of design errors by the manufacturers," Saar Drimer, a researcher at UC's Computer Laboratory and an author of the paper, said in a statement. "They can be exploited because Britain's banks set up the Chip & PIN in an insecure way ... A villain who taps this gets all the information he needs to make a fake card, and to use it."

Credit- and debit-card fraud has garnered increasing amount of attention as laws in the U.S. and Europe have require the disclosure of breaches of personal information. In 2007, retailer TJX Companies announced that online data thieves had gained access to its processing systems and stolen information on more than 100 million credit- and debit-card accounts. In November, the United Kingdom's tax agency acknowledged that two disks lost in the mail had sensitive information on 25 million parents and children.

Because of the losses, retailers have increased their security, albeit slowly, and also lobbied to remove requirements that they hold onto some customers data.

The attack uses a low-tech method of defeating the devices tamper-resistant technology -- a paper clip. The researchers used a paper clip inserted through a hole in the device to tap into the signals sent between the reader and the key pad.

No recall of the devices is planned, the researchers stated.