A chip and pin nightmare.
It's the first of the month, and time to pay some bills. First up, my main credit card. I go to pay and there is an issue. I double check the details. I triple check the details. Payment still refused. OK, so let's call the Bank and get the low down. I ring in, and they put me through the 20 question wringer. We go over a couple of things, and they put me through to the fraud department. Turns out, on the 25th, 27th and 28th, illicit payments were spotted. The first couple were to Touch Tone, for £5.00 each. The last is an attempt to take £14.00 from a cash machine in Pakistan.
Before I go to town on the subject, I will firstly thank my bank, their watchful eye I have little doubt saved me from a painful situation. So, I'm in the situation where my debit card is nerfed. I've also had a strange kind of month for me. During that whole month, virtually the only activity I have had, besides standing orders, and direct debits is shopping. Shopping in one, and only one store. Now, just in case the lawyers are around, for now, I'm going to avoid naming the store in question. I'll refer to it as 'The Store' in the rest of this. Now, what is also unfunny, but I accept the universe likes a sense of humour, is my wife's card got cloned only days ago. And she also does most shopping at 'The Store'. When she went to the bank, they told her there was a serious problem locally going on at the moment.
So, I call up 'the store's' head office and have a chat with the customer care people. The bank were interested in knowing I'd only been shopping there in the previous 30 odd days, and assured me they would follow it up. Would the store do the same? The nice lady on the line was indeed very friendly. At this stage, it became clear that the store knew of problems, but would not discuss the details, or locations, but did offer to send me a letter.
It becomes clear that I'm not going to get very far with the nice lady, though she offered her condolences and expressed frustration at identity theft in a general and arranges for me to get a letter from them sent out. At this stage, I decide that a little chat at the store is in order. After all, they see me each day, least they can tell me what is going on. So I arrive at the store and request to speak to the manager. Of which there are many. Now at that point normally I'd expect blank looks and a sob story, or I figured I'd be fobbed off.
The manager takes your's trully to a quiet corner, and I explain in some detail what has happened, and in fact I get the whole story. What happened was in fact, one of the chip and pin machines got swiped. Now, call me crazy, but I was somewhat taken aback. The manager said she had lost £120 herself, and most of the other staff, who naturally at the end of the long day's the serve there, get their shopping there as well, had lost money. Unless there is something I am missing here, this would indicate that there are two serious problems. Both I'll cover in a moment. But I did thank the shop manager for not bothering to let their customers know. Perhaps in truth shop managers do not realise the problem until later. They got bitten harder than I did.
The first is the chip and pin machines. These tend to be around the counter in most shops, and seem to have merely a wired connection. Not a great deal to stop someone determined armed with Scissors or better. They need better security. The second, and this is a bit more technical, would be that the machines seem to store card information, including the pin (Erm... Why?, that data should not be there). Now, my understanding is that in the chip and pin install in the UK, the banks did not do things right.
Of absolute prime concern here, is the statement from APACS, the UK payments association which is responsible for tackling credit card fraud, said: "The report does not identify any threats or vulnerabilities of which the industry is not already aware. In our view, the types of attack on PIN entry devices (chip and pin machines) detailed in this report are difficult to undertake and not currently economically viable for a fraudster to carry out.
Well, on the first score, difficult to undertake is meaningless. Once found and documented, its not difficult any more. The bad guys are not put off by difficult. These devices need to be fixed NOW. And the obscure method of arcane thinking along the lines of 'Its not economically viable' to steal money. All I can say is the APACS bunch seem to be rather too muppet like for my liking. If the case is how they claim, how have we reached the stage where chip and pin boxes are being swiped and everyone who ever entered their card info and pin seems up for being a victim. Now, being a layman, I can say that I don't know how much data these chip and pin machines hold. Perhaps it’s a month, a year, 10 years. But in the one at 'the store' I can say that I expect hundreds per day. Cracking that box would seem to be financially viable *now*, I know, because I've been right on the pointy end. But from where I am sitting, 'the store' and its like are prime targets. They have hundreds, maybe thousands of consumers per day going through them, and are protected by not a very great deal.
Lastly, I'm guessing, but I suspect the banks fully know about this. I very much doubt that they would have nominally stopped two £5 and one £14 transaction under normal circumstances. Which means I just got lucky. Had I been an early victim, I am guessing my entire account could have gone. On the other hand, I should be very angry, and so should you. Banks dropped the ball on the implementation, and place my data and information, and your's, where crime can be committed against me and you. At the very least now, its messing with my account for 7 days waiting for a new card. As will the hundreds, maybe thousands in the area affected on mass by this. I'll get my new card, but chip and pin will still be broken. Which means that soon enough, I'll face the same prospect, again and again, unless its fixed. Right now, the supposed security 'chip and pin' was supposed to bring us, has been replaced, with a fearsome new level of ID theft, and a serious threat to everyone's financial health.