Friday, January 05, 2007

How Safe Is Chip & PIN?

As I don't have a bank account, this information is provided as a public service. Enjoy.

Okay, a bit of background first. Chip & PIN was brought in by the card issuers to reduce the amount of fraud that they were financially responsible for. Any fraud now taking place is the responsibility of the retailer and not the card issuer. This, I'm sure, is delightful for the card issuers, but not so much fun for the shop owners.

As you may be aware, retailers who provide the convenience of payment by card don't get the full amount that you pay. There's usually a commission charge that the retailer gets hit with, and this system was in place before the introduction of Chip & PIN.

So, with great fanfare, this new and supposedly secure system was introduced. You put your card in, the retailer types in how much you have to pay, then you enter your PIN and the transaction is either confirmed or rejected. No chance for fraud there, apparently.

Apart from people looking over your shoulder to see what you've typed in. Or, if you have bad eyesight - and you having to stand at arm's length from the machine so you can see the figures - the whole queue of people get to see what you've typed in. And once they know what you've typed in, they - or an accomplice - can mug you outside and steal all your money.

Because retailers have faith in the machine, they don't even check the card now. All you need to know is the PIN. So if a white woman appears at the terminal with a card in the name of Mr Attapattu, the shop aren't going to be any the wiser as long as she knows his PIN number. No physical inspection of the card takes place.

And because customers have faith in the machine, if they get a rejection from the machine, they'll either try the PIN again, or try again with a different card. If it still fails, all the retailer has to do is apologise, blame the technology or the banks, and everything is fine.

But what happens if that terminal you've just put your card into - which reads all the information on the chip and the magnetic strip automagically, and you've just given your PIN to - isn't actually a real Chip & PIN terminal? What if it's sole purpose is to extract card information from everyone who uses it? Would you be able to tell?

Well, according to the manufacturers, of course you would! Anyone tampering with the machine would make it externally obvious that something was up.

Think again.

You'll note how the person appears to be playing Tetris on this. There's also a handy video showing it off in its true glory. These people are white hats, there's no reason to suspect the black hats haven't been exploiting this type of hack for months.

Labels: ,


Blogger silas said...

A response from APACS;

"APACS, the payments organisation representing high street banks, said the Cambridge breakthrough could be a threat.

'People could, in theory, use this to steal account details from cards,' said Sandra Quinn of APACS. 'Our experts are in discussion with the manufacturers of terminals to see what can be done. Essentially what these people have done is replace the innards of a chip and Pin machine.

'However, we would say that this has only been seen in a laboratory so far. People would not be able to create counterfeit chip and Pin cards, but they could use this information abroad to make purchases.' "


Post a Comment

<< Home

eXTReMe Tracker