The team found that by attaching a small device called a "glitcher" to the cashpoint, criminals could manipulate the cryptographic protocol that is used by chip and PIN to protect PIN numbers.
This vulnerability could allow criminals to steal money from victims' bank accounts by tricking the cashpoint into thinking a genuine PIN is actually a different, higher-value PIN.
The researchers have developed a patch that could fix the vulnerability, and they are working with the UK Cards Association (UKCA) to ensure that all UK chip and PIN terminals are patched as soon as possible.
Professor Steve Fehler of the University of Cambridge's Computer Laboratory, who led the research, said: "This is a serious vulnerability that could allow criminals to steal money from people's bank accounts. We're working with the UK Cards Association to ensure that all UK chip and PIN terminals are patched as soon as possible."
The researchers have published a paper describing their findings, which will be presented at the USENIX Security Symposium in August.
Here's a more detailed explanation of how the attack works:
* When a chip and PIN card is inserted into a cashpoint, the cashpoint sends a message to the card asking for its PIN.
* The card then encrypts the PIN using a cryptographic protocol called DES (Data Encryption Standard) and sends it back to the cashpoint.
* The cashpoint decrypts the PIN using the same cryptographic protocol and checks it against the PIN stored on the card.
* If the PIN is correct, the cashpoint authorises the transaction.
The researchers found that by attaching a "glitcher" to the cashpoint, they could manipulate the cryptographic protocol so that when a genuine PIN is entered it looks like a higher-value PIN has been inputted.
For example, if the genuine PIN was 1234, the glitcher could alter this so that the cashpoint 'saw' a PIN value of 9876. This would allow the criminal to withdraw £9876 instead of £1234 from the victim's bank account.
The researchers have developed a patch that could fix the vulnerability, and they are working with the UK Cards Association to ensure that all UK chip and PIN terminals are patched as soon as possible.
This vulnerability is a reminder that no security system is completely foolproof. However, by working together, we can make it as difficult as possible for criminals to steal our money.
