About 800million purchases each month are processed by chip andPINmachines. Criminals can use second-hand devices purchased on eBay to load fake cards with malicious software
Millions of customers’ banking details are at risk after it emerged that card readers used in shops and restaurants can be hacked.
Experts have found a security flaw in chip andPINterminals that allows thieves to download customers’ card details. Thousands of terminals must now be reprogrammed.
The chip andPINsystem replaced the use of signatures to authorise card purchases in 2006, and combines two effective security features: a microchip to ensure the card is not counterfeit, and a personal identification number (PIN) to prove the user’s identity. However, researchers discovered that criminals can use second-hand devices purchased on eBay to load fake cards with malicious software.
Once used in shops, the fakes – made to look like a normal credit or debit card – infect readers, which begin storing the details of all subsequent transactions. The criminal then returns later and uses a second card to download this data, which includes card details and PINs.
A spokesman for security firm MWR told Channel 4: ‘In our demonstration we just got the card number andPIN, but a real criminal would probably reprogramme the reader to request that the card is swiped. This would give magnetic strip data which could be used to clone the card.’
VeriFone, which makes most of the terminals used inBritain, said it is working on an update to fix the flaw.
‘VeriFone has developed a software update to resolve this issue in deployed systems and has already submitted the code for testing and approval on an expedited basis.’