The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.06 - November/December (2009 vol.7)
pp: 39-45
Saar Drimer , University of Cambridge
Steven J. Murdoch , University of Cambridge
Ross Anderson , University of Cambridge
ABSTRACT
Bank customers are forced to rely on PIN entry devices in stores and bank branches to protect account details. The authors examined two market-leading devices and found them easy to compromise owing to both their design and the processes used to certify them as secure.
INDEX TERMS
EMV, security, evaluation, certification, tamper resistance, Common Criteria, card fraud, bank fraud, PIN
CITATION
Saar Drimer, Steven J. Murdoch, Ross Anderson, "Failures of Tamper-Proofing in PIN Entry Devices", IEEE Security & Privacy, vol.7, no. 6, pp. 39-45, November/December 2009, doi:10.1109/MSP.2009.187
REFERENCES
1. "2008 Fraud Figures Announced by APACS," Assoc. for Payment Clearing Services, Mar. 2009; www.ukpayments.org.uk/media_centre/press_releases/ -/page685/.
2. S. Drimer, S.J. Murdoch, and R. Anderson, Thinking Inside the Box: System-Level Failures of Tamper Proofing, tech. report UCAM-CL-TR-711, Computer Laboratory, Univ. of Cambridge, Feb. 2008.
3. "PIN Entry Device Security Requirements Manual," VisaInt'l Service Assoc., Mar. 2004; https://partnernetwork.visa.com/vpn/global retrieve_document.do?documentRetrievalId=35 .
4. "PIN Entry Device Protection Profile," Assoc. for Payment Clearing Services, July 2003; www.commoncriteriaportal.org/public/files/ ppfilesPED_PPv1_37.pdf.
5. M. Bond, "Chip &PIN (EMV) Interceptor," Mar. 2006; www.cl.cam.ac.uk/research/security/banking interceptor/.
6. J. Bale, "Shell Halts Chip-and-PIN after Fraud," The Times, May 2006; http://business.timesonline.co.uk/tol/business/ lawarticle714402.ece.
7. "VeriFone to Acquire Trintech's Payment Systems Business," Trintech, Aug. 2006; www.trintech.comverifone-to-acquire-trintechs-payment-systems-business /.
8. "Approved PIN Entry Devices," Visa Int'l Service Assoc.," Oct. 2007; http://partnernetwork.visa.com/dv/pinpedapprovallist.jsp .
9. "PIN Entry Device Protection Profile Common Criteria Evaluation," the UK Cards Assoc., Sept. 2007, www.theukcardsassociation.org.uk/about_us/ what_we_do/technical_services_and_standards common_criteria_evaluation/.
10. Bull, Dassault, Diebold, NCR, Siemens Nixdorf, and Wang Global, "Protection Profile: Automatic Cash Dispensers/Teller Machines," 1999, www.commoncriteriaportal.org/files/ppfiles PP9907.pdf.
11. S.L. Brand, "DoD 5200.28-STD Department of Defense Trusted Computer System Evaluation Criteria (Orange Book)," Nat'l Computer Security Center, Dec. 1985.
12. S. Bird, "'Catch Me If You Can,' Said Student Behind Biggest Chip and PIN Fraud," The Times, Oct. 2009; www.timesonline.co.uk/tol/news/uk/crimearticle5034185.ece .
13. R.J. Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems, John Wiley &Sons, 2001.
14. C. Lally, "9,000 Credit Cards Illegally Copied in Scam on Stores," Irish Times, Aug. 2008; www.irishtimes.com/newspaper/ireland/2008/ 08191218868120438.html.
15. H. Samuel, "Chip and Pin Scam 'Has Netted Millions from British Shoppers,'" Telegraph, Oct. 2008; www.telegraph.co.uk/news/newstopics/politics/ lawandorder/3173346Chip-and-pin-scam-has-netted-millions-from-British-shoppers.html .
30 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool