This week, I’ve read some very interesting posts about Omar S. Choudary’s thesis on credit card’s PIN security (or lack of it). Although it’s based on previously known information, this thesis is probably the first public document to go so deep in every detail that matters. A highly interesting read for the holidays and for those who don’t want to read all of it, here’s a quick summary: it only takes 150$ of easy to find material to build a card capable of charging any “chip protected” credit card with any amount your account allows, without prior knowledge of the PIN.
“Then we have used the SCD to perform the No PIN attack at the local cafeteria and
even in some random shops in Cambridge. We have successfully bought books and DVDs
worth over $50 at one of the shops using the journalist’s card but typing PIN 0000. Even
more, we have performed the tests without warning and nobody has noticed the hidden
device or fake card (the card interface connected to the SCD). After the transaction we
have disclosed the attack to the shop manager who said that such attacks occur very often.
The manager mentioned that during busy periods like Christmas credit card frauds occur
at least once a week. Because shops cannot longer check the cards (as the current policy
is to let the customer handle the card insertion and removal) the criminals can use fake
cards and devices similar to the SCD to perform fraud.”
The entire thesis can be read here.