Updated UK researchers have uncovered a serious flaw in the Chip and PIN machines that authenticate debit and credit card transactions.

Two of the most popular PIN entry devices (PED) in the UK — the Ingenico i3300 and Dione Xtreme — are vulnerable to a "tapping attack", using nothing more sophisticated than a paper clip, a needle and a small recording device.

This basic kit enabled University of Cambridge Computer Labs researchers to record data exchanged between a card and the device's processor without triggering tamper-proofing mechanisms. The devices analysed by the team were borrowed from merchants, but they can also be purchased online for as little as $20.

In a technical paper (PDF) the researchers explain that in both PIN entry devices they examined the secure storage for cryptographic keys is well protected. However, in each case it is possible to tap the data line between the card and the PIN Entry device's processor. The data exchanged on this line is not encrypted so the problem becomes one of getting physical access to the link and of hiding this covert snooping.

The Ingenico PED includes 1mm holes that provide access to a printed circuit board using a bent paper clip. "This can be inserted through a hole in the plastic surrounding the internal compartment, and does not leave any external marks," the Cambridge researchers explain. Handily the Ingenico PED provides a concealed compartment designed for the insertion of optional SIM-sized cards to expand its functionality. The compartment is not intended to be tamper-proof and provides a concealed compartment to hide the wiretap, if not direct access to the circuit board.

The Dione PED does not provide a concealed compartment to hide the wiretap, but is still vulnerable. The Cambridge researchers drilled a 0.8mm hole from the rear, through which they inserted a 4 cm needle into a flat ribbon connector socket. A thin wire connection from this link and interfaced by a small board could be used to send entered data to a laptop.

The Cambridge researchers conclude that the attack is far easier to pull off than the banking industry claims.

What should have required $25,000 needed just a bent paper clip, a needle, a short length of wire and some creative thinking; attaching them to the data line takes minutes with some practice. A small FPGA or microcontroller board with some non-volatile memory can easily fit inside the Ingenico PED’s compartment and record transaction details without the cardholder’s knowledge, while a wire routed from the back of a mounted Dione PED to a recorder under the counter will not be detected unless the cardholder conducts a very close inspection – and knows what to look for. The recording circuit can be very small and either battery operated or attached to the PED’s power supply; with a full transaction requiring about 1 kB of storage, even a small memory can record thousands of transactions. Detecting such a tap from within the PED is extremely difficult, since high input impedance probes do not significantly distort signals, and proper termination suppresses reflections.

"This attack can capture the card’s PIN because UK banks have opted to issue cheaper cards that do not use asymmetric cryptography to encrypt data between the card and PED," the Cambridge researchers note.

A demo of the attack (video here) featured on UK news programme Newsnight on Tuesday.

It gets worse. To ensure backward compatibility, PIN entry devices read data on magnetic strips, as well as on chips on newer credit cards. Hackers tapping into the link between a card and the processing device could get all the data needed to make a cloned card. Add in the corresponding PIN, and fraudsters could withdraw cash at the many ATMs overseas not upgraded to read chips and therefore solely reliant on easily-fakeable magnetic stripes.

Tampered PIN entry devices have already been used for fraud. Last December, £80,000 was stolen from 1,500 people in Leicestershire when crooks cloned their cards using a doctored device in a local petrol station.

The process to determine PIN reader security is substandard, the Cambridge team argues. Evaluation should be more open and defective devices should be refused certification, they say..

The Cambridge Chip and PIN scenarios pose little threat in the real world, according to APACS, the banking association which spearheaded the introduction of Chip and PIN in the UK. "The types of attack on PIN entry devices detailed in this report are difficult to undertake and not currently economically viable for a fraudster to carry out," a spokesman said.

Ross Anderson, a member of the research team and professor of security engineering at Cambridge, said: "The lessons we learned are not limited to banking. Other fields, from voting machines to electronic medical record systems, suffer from the same combination of stupid mistakes, sham evaluations and obstructive authorities. Where the public are forced to rely on the security of a system, we need honest security evaluations that are published and subjected to peer review."

The Cambridge team presents its findings in full in May at the IEEE Symposium on Security and Privacy conference in Oakland, California. Anderson's colleagues are Saar Drimer and Steven Murdoch. ®