This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Failures of Tamper-Proofing in PIN Entry Devices
November/December 2009 (vol. 7 no. 6)
pp. 39-45
Saar Drimer, University of Cambridge
Steven J. Murdoch, University of Cambridge
Ross Anderson, University of Cambridge
Bank customers are forced to rely on PIN entry devices in stores and bank branches to protect account details. The authors examined two market-leading devices and found them easy to compromise owing to both their design and the processes used to certify them as secure.

1. "2008 Fraud Figures Announced by APACS," Assoc. for Payment Clearing Services, Mar. 2009; www.ukpayments.org.uk/media_centre/press_releases/ -/page685/.
2. S. Drimer, S.J. Murdoch, and R. Anderson, Thinking Inside the Box: System-Level Failures of Tamper Proofing, tech. report UCAM-CL-TR-711, Computer Laboratory, Univ. of Cambridge, Feb. 2008.
3. "PIN Entry Device Security Requirements Manual," VisaInt'l Service Assoc., Mar. 2004; https://partnernetwork.visa.com/vpn/global retrieve_document.do?documentRetrievalId=35 .
4. "PIN Entry Device Protection Profile," Assoc. for Payment Clearing Services, July 2003; www.commoncriteriaportal.org/public/files/ ppfilesPED_PPv1_37.pdf.
5. M. Bond, "Chip &PIN (EMV) Interceptor," Mar. 2006; www.cl.cam.ac.uk/research/security/banking interceptor/.
6. J. Bale, "Shell Halts Chip-and-PIN after Fraud," The Times, May 2006; http://business.timesonline.co.uk/tol/business/ lawarticle714402.ece.
7. "VeriFone to Acquire Trintech's Payment Systems Business," Trintech, Aug. 2006; www.trintech.comverifone-to-acquire-trintechs-payment-systems-business /.
8. "Approved PIN Entry Devices," Visa Int'l Service Assoc.," Oct. 2007; http://partnernetwork.visa.com/dv/pinpedapprovallist.jsp .
9. "PIN Entry Device Protection Profile Common Criteria Evaluation," the UK Cards Assoc., Sept. 2007, www.theukcardsassociation.org.uk/about_us/ what_we_do/technical_services_and_standards common_criteria_evaluation/.
10. Bull, Dassault, Diebold, NCR, Siemens Nixdorf, and Wang Global, "Protection Profile: Automatic Cash Dispensers/Teller Machines," 1999, www.commoncriteriaportal.org/files/ppfiles PP9907.pdf.
11. S.L. Brand, "DoD 5200.28-STD Department of Defense Trusted Computer System Evaluation Criteria (Orange Book)," Nat'l Computer Security Center, Dec. 1985.
12. S. Bird, "'Catch Me If You Can,' Said Student Behind Biggest Chip and PIN Fraud," The Times, Oct. 2009; www.timesonline.co.uk/tol/news/uk/crimearticle5034185.ece .
13. R.J. Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems, John Wiley &Sons, 2001.
14. C. Lally, "9,000 Credit Cards Illegally Copied in Scam on Stores," Irish Times, Aug. 2008; www.irishtimes.com/newspaper/ireland/2008/ 08191218868120438.html.
15. H. Samuel, "Chip and Pin Scam 'Has Netted Millions from British Shoppers,'" Telegraph, Oct. 2008; www.telegraph.co.uk/news/newstopics/politics/ lawandorder/3173346Chip-and-pin-scam-has-netted-millions-from-British-shoppers.html .

Index Terms:
EMV, security, evaluation, certification, tamper resistance, Common Criteria, card fraud, bank fraud, PIN
Citation:
Saar Drimer, Steven J. Murdoch, Ross Anderson, "Failures of Tamper-Proofing in PIN Entry Devices," IEEE Security & Privacy, vol. 7, no. 6, pp. 39-45, Nov.-Dec. 2009, doi:10.1109/MSP.2009.187
Usage of this product signifies your acceptance of the Terms of Use.