The security flaw affects payment card terminals which allow customers to enter their card and PIN number to make a transaction.
Verifone, which makes most of the UK’s terminals, said it is working on an “expedited” update after security consultants MWR Infosecurity showed they are vulnerable to hacking.
Using second-hand terminals purchased on eBay, MWR accessed the computer code on which the terminals run. They then used this code to programme a fake chip and PIN card, loading the chip with malicious software capable of reprogramming the reader.
The card can be made to look like a normal credit or debit card, so that a criminal could use it in a shop or cafe. The malicious card transfers its software to the reader, which begins storing the details of all subsequent cards inserted.
The criminal then returns later on, using a second malicious card to download the data, including the card numbers and PINs.
Magnetic strip data
“In our demonstration we just got the card number and PIN,” said an MWR spokesman, “but a real criminal would probably reprogramme the reader to request that the card is swiped. This would give magnetic strip data which could be used to clone the card.”
There are around 900,000 readers in the UK, and according to the UK Cards Association, 800 million transactions per month are processed.
A Verifone spokesman said: “Upon reviewing VeriFone’s portfolio we have confirmed that MWR implemented a sophisticated scenario that is technically feasible on some older systems.
“VeriFone has developed a software update to resolve this issue in deployed systems and has already submitted the code for testing and approval on an expedited basis. We informed MWR of those efforts last week.
“Once the approval process is complete, we will provide the software update to all impacted parties for appropriate implementation.”