2006-04-20

Skimming Chip'n'Pin

Mike Bond at Cambridge University reports some interesting results of experiments attempting to hack chip and pin terminals, much like the current scourge of ATM skimmers. I've wondered about the possibilities here for some time; after all, when you type your valuable PIN into equipment controlled by the vendor, you have no trusted computing base: in theory, your PIN is compromised each and every time you use it, and you're just trusting that the retailer isn't going to abuse its position. The only thing protecting you from a compromised retailer is the difficulty of implementing a skimmer or man-in-the-middle attack. The interesting thing about Bond's work is that it sets a rather low (if unclear) limit on that difficulty.

No comments: