Sophisticated cybercrooks have developed a technique for tampering with the PIN Entry Devices on Chip-and-PIN readers to steal users' card details and PINs. Police from the Dedicated Cheque and Plastic Crime Unit (DCPCU) recovered stolen PIN pads and hundreds of fake cards in a raid on a counterfeit card factory in Birmingham …
They sound suprised?
"The PIN access devices are being re-engineered. It seems like crooks have broken the encryption on the chip but this is unclear,""
Why would they break the encryption on the chip?
They just copy it wholesale and record the punters keypress
Hardly difficult. And it has been going on from the day the things were released.
When some guy hands you a card terminal, you are expected to just type your pin into it, safe in the knowledge that that reader is the real thing?
Anyone who is stupid enough to believe that the minimum wage waiter isnt bent deserves to spend all their time fightng for their cash back under the "banking code"
the security is still rubbish and I personally think a pin is less secure than a checked signature.
I've known 4 people who have had their card cloned by one of these in the past year - I think it's worse than they are letting on. Oh and the protection? Yeah they all got their money back but for a couple of them it took MONTHS.
Guilty until proven inocent
Does the fact that it is now clear that a PIN can be compromised mean the banks will stop assuming the card holder is guilty until they can prove they had not negligently revealed their PIN.
Until we have a system that uses a one time password for each credit card transaction, then the system will remain open to cloning and replay approaches. Putting data logging into PoS equipment was clearly something the crooks were going to do.
Ideally I'd like a system which would allow a one time password generators to be registered against a number of services or cards (in fact it would be quite nice to be able to use it for online banking and other sensitive systems). It might also be nice (and not to difficult) to have an option to register a mobile phone number to receive an SMS message everytime a transaction authorisation is attempted. At least that way we would notice fraudulent transactions quicker, even if it wouldn;t immediately stop them.
Cards could be enabled for use abroad via an appropriate enabling system for a given time for countries that don't have this sort of infrastructure. Lost OTPs could be dealt with via an exceptional over-the-phone authorisation system.
I'm dreaming of course - I can't imagine that the finance industry will get their act together and come up with a truly robust system.
think i'll treat myself...
'...the attack made compromised PIN entry devices in stores as big a treat as the better known risk of bogus ATM machine'
yup deff going to treat myself to some credit fraud
mines the one with bundles of cards in its pockets...
the lot of them. Ever heard of encryption ? Even on hardwired systems you should be transmitting bank information via encryption.
What absolute twats the banking industry is - if they need an overpriced consultant to teach their granny how to suck eggs please contact me.
Where's the 'twat' icon ?
Said this would happen
Allow me to add my voice to the crowd of "I Told you this was going to happen!"
How about using a form of biometric security when paying for goods in stores? Just as a rough germ of an idea, you could give someone a pen and paper, and ask them to perform a gesture, unique to them, using the pen in such a way that a record is left (and can be retained). A person ought to be able, with minimal self-training, to reproduce such a gesture with a fair accuracy at will; yet someone who has not become accustomed to that gesture would have difficulties and so reproduce it only either with detectable artefacts in the written record or with some aberrant feature in their behaviour.
Determining the validity or not of such a recorded gesture, by comparing it to a reference sample and observing the behaviour of the individual as they performed it, is the sort of task which probably would require a human being rather than a machine; but since there is already a human being sitting at every till in a supermarket, no additional staff would be required in practice.
should they be satisfied with this?
"compromised Chip-and-PIN terminals have been found in less than 30 retail outlets throughout the UK"
They don't say say how many they actually checked. The implication of the comment is that there are very few - in fact, what the statement means, is that's all they have found so far, and they don't know if there are any more.
"they enjoy excellent protection under The Banking Code, which means that they will not suffer any financial loss."
Not entirely true; in the US the banks have to cover all loss, but in the UK, they can ask you to prove it wasn't you. Having said that, I can't complain; on the 2 occasions that someone tried it on with my card details, they detected it before I knew - it helps that I don't normally buy £800 worth of leather underware across the Internet!
I told you so.
I grumbled about this flaw in the past - it was painfully obvious that this was going to happen. Because of my foresight, I have a Chip & Signature card - and I had to raise hell with the bank in order to get it.
Let me explain. Chip & Pin is undoubtedly more secure than Chip & Signature - even with this new exploit. After all, any fool can nick a card and, with a little practice, forge the signature. Shop staff really don't check that closely. The difference is a legal one.
With Chip & Pin the banks are governed only by a code of practice. They promise to be nice and let you have your money back if fraudulent activity occurs, but they aren't legally obliged to - and you can bet your house that fingers were crossed as the promise was made.
With Chip & Signature (or, indeed, any kind of signature card) the banks are governed by a legally binding contract. The onus isn't on you to prove that fraud has taken place - it's on the bank to prove that it hasn't. In practice, this means that you will always get your money back if someone defrauds you. It also explains why the banks are so reluctant to issue signature cards. Fight for your right.
Personally I'll take a little less security if it means that I get to keep my money. Question is, what are you going to do?
What they really think
Sandra Quinn, director of corporate communications at APACS, said that Chip-and-PIN remains the safest method of payment for goods and services: "In the unlikely event a cardholder is an innocent victim of this or any type of fraud, they enjoy excellent protection under The Banking Code, which means that they will not suffer any financial loss."
She then added under her breath "good luck proving your innocence though fuckers - all your pins is belong to me - Ha Ha ah ha ha HA!!"
Seriously does anyone imagine for a second that the banks will kindly allow you the consumer access to data, which allows you to say that a high percentage of people who bought something from a particular store were then the victim of card fraud?
Or are they much more likely to blame you for giving your PIN away, assume it's all your fault (whether they are in posession of the facts or not) and refuse to accept any liability?
I like the idea, but the Unique Image Reference on the back of my debit card rubbed off ages ago.
Not that anyone checks it, even when the chip [which is falling out a bit] fails and I have to make my Unique Image on the slip.
No surprise fraud is rife really, no-one checks anything these days.
Steven "Needs to buy a wallet really" R
The Government should take note
Chip and PIN was introduced to eliminate fraud, just as ID cards and biometric passports with chips will eliminate identity fraud.
Is it not plainly obvious that the criminal fraternity become more sophisticated in order to crack these supposedly secure systems, and that therefore the whole idea of ID card and biometric passports is fundamentally flawed?
What will they do, issue me with a new set of fingerprints and retinas if my identity gets clones. Muppets.
RE: Said this would happen
"Just as a rough germ of an idea, you could give someone a pen and paper, and ask them to perform a gesture, unique to them, using the pen in such a way that a record is left (and can be retained)"
Oooh, that sounds like a great idea. Lets call it a Symbolic Identification Gesture for Non-Automated Tellers Using Recognition Engines.
first hand unhappiness
I had this happen to me, and I think I know where it happened but I can't be sure, was a chip and pin unit two weekends ago, they got the card details, extracted some dosh in canada, then a day later in india. had it stopped but it's clear credit card companies jump on fraud a lot better than debit card companies. credit card calls up the minute the transaction is logged to say 'are you sure this is right?' (happened to a friend this, not me, was a valid transaction), debit card company says 'have you ever been to canada?' ignoring the fact that i was using it the same day to buy food from a supermarket up the high street. go figure.
I usually check cash machines for any dodgy fittings and won't use it if there are, but chip and pin units are harder to avoid.
Annoyingly it's the one time i paid for lunch by card, i usually use cash. wont make that mistake in future, cash at least doesn't have the same resulting issues.
@A J Stiles
IIRC, in the past, cards/signatures were frequently not checked.
I've known people who got their cards swapped when paying for a curry, and who didn't realise until a week or so later, when each had made several signature-based transactions - they didn't read the card they were handing over, and none of the vigilant signature-checking humans noticed that the signatures were entirely different.
Once, I signed a newly-arrived credit card rather scrappily with a half-working ballpoint, and when I called the issuer, they simply told me to sign it a second time with a different pen. For the normal life of that card (2-3 years), I think only one retailer ever asked me why I had two signatures on the back.
My signature in general is not very neat or particularly consistent, and I don't think anyone has ever questioned it on a credit card purchase.
I suppose an encoded signature (ie one that a criminal couldn't re-encode onto a cloned card) might work for retail transactions *if* any staff could be bothered to do a comparison between what someone writes and what pops up on a screen.
However, if it's the case that the current frauds tend to target foreign ATMs, then human-based security checking doesn't seem to have much of a place there.
It was the devices that were compromised - modify those so a data logger records the key presses and encryption n transfer to the bank doesn't help one bit in protecting the PIN (and the data connection to the bank is encrypted). The interesting thing is if the encrypted data from the chip in the credit card can be read. Chip & Pin PoS devices don't read the mag strip (they don't need to), and the account information on the card is encrypted. You would need to break that encryption to get the account information. However, there's another possible approach - it might be that the compromised PoS devices have been modified to read the mag strip information which has to be there for use abroad.
Given that these compromised cards were used abroad, then it might not appear to be anything as sophisticated as getting the PINs and cloning the chips. It might be as simple as copying the mag stripe information if the countries where these were used don't have Chip & PIN.
@A J Stiles
The problem is that this frequently-executed gesture is used in myriad places besides the checkout line, and as long as a person possesses a copy of your handiwork, this person can train his/her hand to replicate it. Combine this with a cloned copy of your card (or even the card itself--with a handy reference signature)...and it's open season. As I recall, this had been the procedure en vogue in the past and is still used in the greater crime of full identity theft.
There's also the matter of handicaps. Not everyone has a steady hand at the checkout line. If someone possesses a nervous tic in the writing arm--or worse, a palsy--one's signature cannot be counted on to be consistent.
Photograph for identification
In 1987 I joined a voluntary scheme to add my photograph to my debit card. For all purchases at a counter, where we now use chip and pin, the vendor could see it was me unless I had a twin. Presumably nobody stood to make any money from making this idea mandatory so we now have the flawed chip and pin.
@A J Stiles
It's a good idea, and I guess to some degree it would work for blind people too but i wonder if it would work overall - say you bust your hand or people who do not have steady hands, they won't be able to recreate the gesture accurately enough for the system. I know it's not everyone but it's still an issue.
There are two ways this could work and that are much simpler:
a) Taking the idea from several online banking systems, make the pin longer (8 characters) then ask for 3/4 random digits from it in a random order. That way unless you use the same machine several times you shouldn't get the same digits twice in the same order
b) imagery (would take a bit of system upgrade though) - you submit 4 or 5 pictures against your account. When you go to pay, it asks you to match 2/3 of those images, suggesting 3-4 alternatives per picture which are close or random. Then it's down to you to know the image, and it wont be at the same number in the image array each time. This is similar to your gesture idea but is just images to select rather than a gesture to repeat.
Basically, the above have something in common. A non commonly repeated series of images/numbers that can be stolen. random part selection has to be a better deterrant surely? and it beats having to submit any biometric info as the uk.gov seems adamant to do on it's own anyway.
just my 2 cents
@Photograph for identification
Doesn't work - you're assuming they steal the card. if they knick he details and put it on a dummy card which doesn't have your photo that form of id is no longer valid. It may reduce the liklihood of card theft but it's a lot mroe valuable to a criminal that you don't realise your card is stolen for a while than report it stolen instantly, give them time to use it.
Also they use the card on atm's to get cash, as it's harder to track back and retrieve, and can be used immediately. ATM's don't check for photo id...
Why can't these rotters just stop behaving like this and do an honest day's work for an honest day's pay? Life would be so much easier for everyone.
Just carry cash. Can't get my card details or my PIN if I'm not using it.
More thoughts on signatures
The problem with signatures not being checked is really one of people not doing their job properly. Since there is an audit trail generated, the operator who allowed the fraudulent transaction can be traced -- and the money taken from their wages. Maybe it will teach them to do their job properly: you know, check that the signature looks like the one on the card and that the person signs with a single, fluid motion, not all stilted and robotic like somebody trying to copy someone else's signature.
It takes at least an hour to learn to forge a signature even to the standard that somebody who didn't see you actually writing it would think it's genuine; and even longer if you want to make it look as if it's your own signature that you dash off several times a day. That gives the real owner of the card a window of time in which to notice and report it missing.
Also, you can't speed up the process of learning to forge a signature by holding a knife to the throat of someone you are robbing. You can, on the other hand, obtain a PIN by the same method -- and keep the knife there while an accomplice makes a test purchase with the card to show the PIN is genuine. If I were truly evil, I would patent such "PINpoint robbery", but from the victim's point of view: as a method for enriching people and safeguarding one's welfare by revealing personal details. That way, any royalties due for the use of this patented method would be owed by the victim (whom you already have), rather than the perpetrator (who is away on their toes).
Re: Photograph for identification
No, it wasn't that there was no money to be made, it was that it was a rubbish idea. If you can clone a regular card and print it good enough that a shop keeper won't notice, you can print your own photo on there as well. And for physically stolen cards, if they don't check the signature, they won't check the photo.
Marks & Spencers @ London Bridge
Yes, Marks & Spencers London Bridge. That's where I'm pretty sure it happened to me, late on a Friday night when I popped in there about a month ago. The entire weekend and Monday morning following some wormbag(s) caned my card in a little village in northern Malaysia making Visa cash withdrawals (information gleaned from my online statement). Egg tried and failed to contact me on Monday afternoon and automatically barred my card - all money was subsequently returned and a new card issued. A minor inconvenience (as it was only a credit card, would have been far more serious had it been a debit card) but it's pretty obvious that Chip & PIN has been blown wide open and a better system is needed with end-to-end encryption.
And since the magnetic strip contains all my details and this system is still in use abroad, and I have no immediate plans to go abroad, I'd be happy to instruct my bank to decline all transactions that make use of the magnetic strip method. The Bank could even issue me a card without a magnetic strip, I don't need it, and since the Bank would know I don't have a magnetic strip any such transactions would clearly be fraudulent.
@ Steven Jones
Re the SMS message - I've been working with a number of banks on the scope for this for some time, with the additional abiltiy to virtually insert the PIN into the CNP process, enabling authentication using the mobile.
I demonstrated it at the E-Crime congress in London earlier this year, and your not dreaming, as hopefully it will be trialled in the market later this year.
Banks should consider Gridsure
GrIDsure (gridsure.com) seems to be a cheap and apparently more secure alternative to PINs, but of course while Banks are too tight to encrypt transactions end-to-end then it's likely that no system will be sufficiently secure.
"How does it work?
Instead of hard-to-remember PINs / passwords, GrIDsure substitutes a different kind of ‘shared secret’ - based on picking a number of squares on a grid to make a memorable pattern or shape, such as an 'L' or a 'tick'. At authentication time the grid is filled with random numbers, which 'presents' to the user in his/her pattern positions a new set of 'PIN' or pass-codes. The numbers in the grid change each time it appears and thus so does the PIN. It’s far easier to use, as users don’t have to hold ‘cold’ strings of characters in their heads, and it’s much more secure as it cannot easily be shoulder surfed, key-logged or the user impersonated."
And GrIDsure is a British company too (I have no affiliation etc. etc.).
Secure AND Portable?
As the problem seems to stem from transactions performed abroad, where technology may not be available, the problem becomes making a form of authentication that is BOTH secure AND portable--such that it can be used just about ANYWHERE. Signatures are an obvious 'no'--they've been known to be forged. And it's become clear Chip-And-PIN can't apply--such devices can't be counted on to exist abroad. So, what can you try?
Chip and spin
Chip and pin was introduced to shift liability from the banks to the consumer.
It could have been more secure but they chose the cheap option at every turn happy with the shift of blame.
It's just another variant of the saying "Technology is in a race with the Universe to create bigger and better idiot-proof devices, while the Universe is trying to create bigger and better idiots." only replacing 'idiot' with 'criminal'.
Paris, because the universe is creating bigger and better idiots.
Never checked anyway
I'm not surprised, the cards never get checked anyway. My wife frequently borrows my debit card to go and buy all our shopping at ASDA. Unless ASDA have some kind of policy where they cannot ask questions for fear of gender-swap issues I cant see any other reason for them not to even bother looking at the card.
This happens periodically in countries where chip + PIN has been around for a while (like here in Canada). Mostly it's best to stick to the kind of reader that's semi-permanently attached to a terminal rather than the ones that are just a little hand unit on the end of a cord. For those ones, some retailers have taken to having the unit's screws covered with a security company's holographic tape, so you can flip it over and check the seals before using it.
I did once consider a system for semi-randomly changing my PIN every day but then decided life was too bloody short...
Why don't they just require you to enable your card for overseas use?
I know which countries I'm likely to be in. If a transaction occurs in India or Kazakhstan, it's obviously fraudulent and the card has been cloned. Why do we need cards valid for all countries at all times?
Card-not-present (telephone and mail order) transactions are different, (as my buying something mail order from Outer Mongolia is conceivable if unlikely) but the systems can distinguish between the two cases and, for card-not-present transactions, the issuer shifts the risk to the merchant.
Incidentally in Las Vegas you need a driving license or passport plus your credit card to buy anything. The picture ID gets checked and (often) the details noted. Nobody seems to care about the signature on the credit card any more.
When I first started work (early 70's), I was sent on a security training course. The security manager was an ex-police superintendent (mornin' super - mornin' wonderful) who was about as cynical as you could get.
He informed the group that there were only 3 types of people in the world - the "Sad", the "Mad", and the "Bad". He maintained that everyone fell into one of these groups, and that included all of the attendees and also all of the the readers of this site. The only issue is if you recognise this, and therefore know what group you fall into (and what your price is).
I argued with him, but to no avail - now some 30 + years later, it galls me to have to say that I think he was right.
What most people are not aware of, is that a considerable amount of this sort of crime is now funded by large criminal groups that have access to more liquid cash than most governments. They are often involved in other criminal activity; drugs, human trafficking, sex crimes, counterfeit goods, 419 scams, pretty much anything where they can make money.
The people that the police catch are usually so far down the food chain that before the police have booked them at the station and locked them up for the night, their handlers already have a replacement group starting up.
(p.s. not intended as a flame at you Gareth - I know you weren't entirely serious)
> The interesting thing is if the encrypted data from the chip in
> the credit card can be read.
Chip & PIN devices in use today in the UK are flawed and allow the card details - including PIN and account number - to be eavesdropped 'in the clear' using nothing more than a bent paperclip, needle and a laptop.
The system is rubbish, the notion of increased customer security is a fraud in it's own right perpetrated by the Banks. If I'm ripped off again I'll be requesting a Chip & Signature card pronto as I have no faith in Chip & PIN protecting me in future, it's just random luck that my card isn't cloned each time I use it.
And for anyone using a debit card for anything other than ATM transactions: What on Earth are you thinking of? Are you mad??! Have fun paying your direct debits etc. once your cloned debit card has been used to empty your current account!
1. http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-711.pdf - section 2.2
Pretty much everyone's got a mobile, right?
And banks know your mobile number (they certainly know mine)?
Why not have the bank's systems text/email/automated-phone-call you for any non-standing-order transactions, say, over £10 or any outside the last city they verified your location in? That way you can buy your breakfast/lunch/dinner, a magazine to read on the bus or whatever else you need day-to-day without the extra verification, but still maintain protection against any more serious fraud.
Again it's not perfect, but it's an extra step. Even as an optional system, it'd help people in fraud-prone areas to help limit their losses.
"Maybe it will teach them to do their job properly: you know, check that the signature looks like the one on the card and that the person signs with a single, fluid motion, not all stilted and robotic like somebody trying to copy someone else's signature."
You've clearly never worked retail. I have. There's lots of people out there whose signature is fairly tangentially related to the one on their card, lots of old grannies (or, you know, people with arthritis) who take a long time to do their signature, and lots of rather large blokes who a 16-year old five foot five cashier would not feel particularly comfortable telling to provide another form of payment or re-sign the receipt.
These are just a few of the reasons why the whole signature system is a bit of a problem. As Mike Bell mentioned, in most of North America no-one really bothers with the signature panel at all any more; small purchases are usually just waved through and larger ones often require some kind of photo ID regardless of the signature panel.
Sorry, but I really don't want my Bank calling me up several times a day - that would be a sure fire way for me to revert to carrying large amounts of cash around with me!
There are better solutions already available to the Banks that don't require them to harass their customers every time they transact more than a few quid, but whether they implement these solutions depends on the Banks doing their job properly and not cutting corners to save themselves a few pennies.
I don't believe they've cracked the encryption on the chips - it's just not feasible and if they had they wouldn't need modified terminals, they'd just steal your card and decrypt the pin.
What they can do is read the pin as you type it and log this along with the card details, the card details are easy to read from the terminal in plain text - if Tesco's Till can do it I assure you it's not hard.
What they can't do is make a chip, or anything even like a chip - so they have to take your details (they have you pin now remember) and use it on a cloned card somewhere that still uses magnetic swipe in cash machines.
Alternatively they don't bother with modified terminals to get your pin and just use your details online or mail order.
The truth is until every cash machine and shop in the world could use chip and every online store could use 3d-secure (if they bothered securing the passwords like they do pins) and you'd still get fraud by mail order / telephone sales.
>>"Sorry, but I really don't want my Bank calling me up several times a day - that would be a sure fire way for me to revert to carrying large amounts of cash around with me!"
It wouldn't be hard to let someone choose which kinds/sizes of transactions a bank informed them about about afterwards (SMS or email), which kinds/sizes of transactions might result in the bank seeking approval, and which kinds of transactions (like foreign cash withdrawals from some/all countries) were de-authorised by default unless there'd been prior approval.
Who currently takes the hit in fraudulent overseas cash withdrawals - the UK card issuer or the overseas bank?
"Sorry, but I really don't want my Bank calling me up several times a day - that would be a sure fire way for me to revert to carrying large amounts of cash around with me!"
Well I don't want a system that requires me to authenticate every transaction - after all, I might not have my mobile with me, the battery could be flat, you could be in an area of poor reception, I could be abroad and it could be embarrassing to find that out at the checkout in Tescos not to mention the time delays and people muttering in queues. Just possibly there is a need for mobile phone authentication for very large transactions. However, a notification system by SMS for every attempted transaction authentication would hardly be difficult to deal with - looking at my card records then that would only amount to about 40 messages per month.
Having twice had my card compromised in less than 6 months, then I'd value it.
Just have 1 PIN for Chip+PIN Transactions, and 1 PIN for cash withdrawls.
But, Oh no, we can't do that, some granny would forget one, so now we are all vulnerable to this simple trick and the burden of proof is on us.
Trash your mag strip today folks! It's the simplest way to defeat this. Every time you are going on holiday, order a new card, then trash the mag strip again when you get back.
Payment Terminal security
If these terminals are the same as the ones used in D, NL, BE etc. then this means that they have also access / cracked the HSM.
In the terminals the entire PIN entry + transaction amount display and approval is performed within the keyboard / display component and this also stores and manages the keys (changed at least daily). Any attempt to get to the keyboard / display results in the component being destroyed (it is a mini HSM). The component is actually part of the keyboard.
If the keyboard and display are not so constructed, then PIN use is intrinsically flawed. Is this really the case?
@ Steven Jones
Your wish is granted - have a look at www.pinoptic.com
One time passcodes - only a maintenance upgrade to ePOS and/or ATM.
A chip and pin nightmare.
It's the first of the month, and time to pay some bills. First up, my main credit card. I go to pay and there is an issue. I double check the details. I triple check the details. Payment still refused. OK, so let's call the Bank and get the low down. I ring in, and they put me through the 20 question wringer. We go over a couple of things, and they put me through to the fraud department. Turns out, on the 25th, 27th and 28th, illicit payments were spotted. The first couple were to Touch Tone, for £5.00 each. The last is an attempt to take £14.00 from a cash machine in Pakistan.
Before I go to town on the subject, I will firstly thank my bank, their watchful eye I have little doubt saved me from a painful situation. So, I'm in the situation where my debit card is nerfed. I've also had a strange kind of month for me. During that whole month, virtually the only activity I have had, besides standing orders, and direct debits is shopping. Shopping in one, and only one store. Now, just in case the lawyers are around, for now, I'm going to avoid naming the store in question. I'll refer to it as 'The Store' in the rest of this. Now, what is also unfunny, but I accept the universe likes a sense of humour, is my wife's card got cloned only days ago. And she also does most shopping at 'The Store'. When she went to the bank, they told her there was a serious problem locally going on at the moment.
So, I call up 'the store's' head office and have a chat with the customer care people. The bank were interested in knowing I'd only been shopping there in the previous 30 odd days, and assured me they would follow it up. Would the store do the same? The nice lady on the line was indeed very friendly. At this stage, it became clear that the store knew of problems, but would not discuss the details, or locations, but did offer to send me a letter.
It becomes clear that I'm not going to get very far with the nice lady, though she offered her condolences and expressed frustration at identity theft in a general and arranges for me to get a letter from them sent out. At this stage, I decide that a little chat at the store is in order. After all, they see me each day, least they can tell me what is going on. So I arrive at the store and request to speak to the manager. Of which there are many. Now at that point normally I'd expect blank looks and a sob story, or I figured I'd be fobbed off.
The manager takes your's trully to a quiet corner, and I explain in some detail what has happened, and in fact I get the whole story. What happened was in fact, one of the chip and pin machines got swiped. Now, call me crazy, but I was somewhat taken aback. The manager said she had lost £120 herself, and most of the other staff, who naturally at the end of the long day's the serve there, get their shopping there as well, had lost money. Unless there is something I am missing here, this would indicate that there are two serious problems. Both I'll cover in a moment. But I did thank the shop manager for not bothering to let their customers know. Perhaps in truth shop managers do not realise the problem until later. They got bitten harder than I did.
The first is the chip and pin machines. These tend to be around the counter in most shops, and seem to have merely a wired connection. Not a great deal to stop someone determined armed with Scissors or better. They need better security. The second, and this is a bit more technical, would be that the machines seem to store card information, including the pin (Erm... Why?, that data should not be there). Now, my understanding is that in the chip and pin install in the UK, the banks did not do things right.
Of absolute prime concern here, is the statement from APACS, the UK payments association which is responsible for tackling credit card fraud, said: "The report does not identify any threats or vulnerabilities of which the industry is not already aware. In our view, the types of attack on PIN entry devices (chip and pin machines) detailed in this report are difficult to undertake and not currently economically viable for a fraudster to carry out.
Well, on the first score, difficult to undertake is meaningless. Once found and documented, its not difficult any more. The bad guys are not put off by difficult. These devices need to be fixed NOW. And the obscure method of arcane thinking along the lines of 'Its not economically viable' to steal money. All I can say is the APACS bunch seem to be rather too muppet like for my liking. If the case is how they claim, how have we reached the stage where chip and pin boxes are being swiped and everyone who ever entered their card info and pin seems up for being a victim. Now, being a layman, I can say that I don't know how much data these chip and pin machines hold. Perhaps it’s a month, a year, 10 years. But in the one at 'the store' I can say that I expect hundreds per day. Cracking that box would seem to be financially viable *now*, I know, because I've been right on the pointy end. But from where I am sitting, 'the store' and its like are prime targets. They have hundreds, maybe thousands of consumers per day going through them, and are protected by not a very great deal.
Lastly, I'm guessing, but I suspect the banks fully know about this. I very much doubt that they would have nominally stopped two £5 and one £14 transaction under normal circumstances. Which means I just got lucky. Had I been an early victim, I am guessing my entire account could have gone. On the other hand, I should be very angry, and so should you. Banks dropped the ball on the implementation, and place my data and information, and your's, where crime can be committed against me and you. At the very least now, its messing with my account for 7 days waiting for a new card. As will the hundreds, maybe thousands in the area affected on mass by this. I'll get my new card, but chip and pin will still be broken. Which means that soon enough, I'll face the same prospect, again and again, unless its fixed. Right now, the supposed security 'chip and pin' was supposed to bring us, has been replaced, with a fearsome new level of ID theft, and a serious threat to everyone's financial health.
@Steven Jones/David Wilson
I wouldn't object if my bank offered me a web based system that allowed me to specify the countries where my card can be used, and even the types of transactions that should be authorised (or perhaps more easily, the types of transactions that should NOT be authorised, eg. cash advances). If I do go on vacation to Malaysia then I can add that country before I go and remove when I return, and if I forget to add it before I leave I can always give Egg a quick call (or I could use an internet cafe, but that has security implications of it's own!) As my Egg credit card is managed entirely online this would be an easy addition for them.
Take this further and we can specify the transaction amounts above which the automatic notification SMS message should be sent, or the level at which transactions should be flagged as suspicious (but not necessarily fraudulent, eg. above £500).
Of course non of the above would be necessary if Chip & PIN wasn't so insecure in the first place.
"Trash your mag strip today folks! It's the simplest way to defeat this. Every time you are going on holiday, order a new card, then trash the mag strip again when you get back."
Clive that won't solve the problem - your card can have it's details copied from a Chip & PIN machine in the UK, and those details can then sent abroad where a cloned card is created with your card details written to the magnetic strip whereupon your account is fraudulently debited by vendors that still process cards with magnetic strips. Your card doesn't have to leave the UK for this to happen, nor does it even have to have a magnetic strip for a cloned card with magnetic strip to be created overseas...!
The best option would be to instruct your bank to refuse to authorise ALL magnetic strip transactions on your account, with the option to allow transaction for a short period if/when you do go abroad. But as far as I know this isn't possible - if it were I'd sign up for it.
"The best option would be to instruct your bank to refuse to authorise ALL magnetic strip transactions on your account"
your idea whilst a good one is not feasable several times since the Chip& Pin cards came out I have seen my card swiped in the mag stripe reader because the Chip&Pin reader would not read the Chip so you still need the mag stripe in the UK
@John Dougald McCallum
Fair comment, but if that were the case then the problem is mine to deal with either by paying with cash or another card with a working chip, or the retailer could whip out his antiquated roll-over imprinting machine (yes, they're still accepted just for this kind of situation) and I would physically sign the receipt.
So far my chip has never failed to work, maybe because I keep my cards in a wallet, and I haven't had to swipe the mag stripe on a card for at least 3-4 years, so I reckon I can live without the mag stripe entirely if it reduces the liklehood of me being defrauded.