December 27th, 2006
So much for tamper-resistance:
Many discussions over the security of Chip & PIN have focused on the tamper-resistance of terminals (for example in the aftermath of the Shell Chip & PIN fraud). It is important to remember, however, that even perfect tamper resistance only ensures that the terminal will no longer be able to communicate with the bank once opened. It does not prevent anyone from replacing most of the terminal’s hardware and presenting it to customers as legitimate, so freely collecting card details and PINs.
Steven Murdoch and myself took the chassis of a real terminal and replaced much of the internal electronics such that it allows us to control the screen, keypad and card-reader. Steven suggested that in order to show that it is completely under our control, we should make it play Tetris (similarly to the guys who made a voting machine play chess). We recorded a short video showing our Tetris playing terminal in action.
It's easy to fool people into thinking that "technology = security". Nothing could be further from the truth.
This entry was posted on Wednesday, December 27th, 2006 at 12:16 and is filed under Stay Secure. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.