Security experts have demonstrated a way of hacking into a Chip and Pin machine using a malicious code stored on a credit card
Chip and Pin payments systems used in restaurants, bars and shops across the UK are vulnerable to attack, with malicious cards able to steal payment information.
Researchers found the devices can be programmed using a fake credit card, which uses malicious code to capture payment information.
MWR Infosecurity, the company that carried out the research, said Chip and Pin machines could be programmed to do "anything". It explained that a criminal using this technology could visit a shop, use a card with malicious code to collect payment information and then visit the same shop again later in the day to download all the card details. The hack was demonstrated at the Black Hat conference in Las Vegas.
Read more: Security news
In May alone, 876 million card transactions were made in the UK, totalling £42.5 billion.
Ian Shaw, managing director of MWR Infosecurity, explained why Chip and Pin machines were potentially vulnerable: "They're using ten year old technology. Android smartphones and iPhones have better security capabilities. Once you've inserted the card you can do whatever you want."
The UK Card Association, which represents the UK card payment industry, said it was looking into the claims.
"We are currently assessing the implications of research which, on the face of it, outlines a possible means of attack on PIN entry devices. We take all threats very seriously," it said.
"Importantly, we have no evidence of this type of attack occurring, either in the UK or anywhere else in the world where Chip and Pin is in use."
In another demonstration a Chip and Pin device was turned into a portable games console. MWR Infosecurity said this showed just how much the devices could be reprogrammed using code stored on a card.
Mr Shaw said that manufacturers had been made aware of the vulnerabilities, but that it would be difficult to fix.
"Some of these issues could still exist in a few years. Some older card machines can't be updated easily," he explained.
However VeriFone, a manufacturer of chip and pin devices said it had taken the hack seriously and is already testing an update that would fix this problem.
"This is a new threat that took months for MWR to develop, and could not be easily replicated. However on the back of this research we have developed a software update to resolve this issue in deployed systems.
"Once the approval process is complete, we will provide the software update to all impacted parties for appropriate implementation," the company told us.
Updating your subscription status