BBC NEWS | Business | 'Chip and pin' security warning
Interesting article over at the BBC where Ross Anderson (author of the excellent "Security Engineering") is questioning the security of the new (in the UK) Chip and PIN rollout.
He makes an interesting point, which is that if crooks can create fake readers they can set up business and use them to gather credit card details...
Now I'd like to think that this shouldn't be possible (or at least easy), I'd have expected something like a mutual authentication between card and reader or something like that to mitigate this kind of attack, however the quote on the story from the representitive of the Chip and PIN companies doesn't make me feel too comfortable
"We don't think they can use fake machines because the machines themselves are engineered to read the chip so they must be reading the chip very carefully. That makes the transaction itself extremely secure."
Now that kind of implies to me that they're relying on the difficulty of creating a reader to protect the card details, I really hope there's more to it than that, because we've been shown that that kind of protection doesn't last...
