Cybercrime bust highlights PIN terminal insecurity

Putting a padlock on a paper bag

Some time ago I saw a TV programme where a presenter got a job as a waitress solely to steal customers' PINs. She carried a small card reader that she used to swipe the card's magnetic strip details and then she watched the PIN being entered into the terminal. With those two captured items of data she was then able to create a card that could be used at certain cash machines.

Chip & PIN seems secure but having the magnetic strip too leaves a gaping hole in the system.

Put the keypad on the card

While you are at it, put a display on the card that shows the amount and the recipient. Also use proper encryption - libssl is only about 200k, so it will easily fit on a chip.

Engineers and managers can end up in prison for not taking enough care with safety. Unfortunately that law does not apply to bankers funding crime with customer's money. (All customers - not just the ones who use 'portable' terminals at an open air auction.)

easy fix with just plugin upgrade!

easy way to defeat those pesky spy cameras and card reading phisers

STICK A 2Watt+ output 2.4-2.5 / 5.8Ghz JAMMER on every cash terminal !!!

Then those crooks wont be able to recieve any of our account data, whilst parked up opposite the ATM!!!

So they are put out of busiiness by simply jamming all open access wi-fi/wi-max and bluetooth frequencies.

maybe Visa and MC need to employ a Bofh n Pfy or 2, for a change instead of lots of qualified id10t rated managers...

Cant wait

for the sanctimonious prat from Chip&Pin corp ( the one on the telly last year telling us how secure C&P is) to wiggle out of this one!!

If c&p is so good, why does my bank require me to plug in c&p card to useless reader thing to transfer 5 quid to another account in the same bank, while logged using https?

Heart, because Valentines Day was when it was all going to be mandatory

Calm down

There's no cure for fraud.

Before chip and pin fraudsters (tier 2) would pay minimum wage cashiers (tier 1) to write down card numbers and 3 digit "security digits". Cashiers would receive a small amount for each card number. It'd also be bleeding obvious who it was that had given the card numbers out, but minimum wage or not, it was their own greed that got them caught (tier 1). Meanwhile the fraudsters just needed to arrange a place to meet and hand over a few 20s for a piece of paper. Which they would then resell to someone else further up the criminal pyramid (tier 3) who had employed people in third world countries and/or the US to make fraudulent transactions.or sold the details to them(tier 2). This is classic "Card not present" fraud, and is the most common form of fraud seen on cards - and still happens because Chip and Pin is not mandatory, nor are people particularly careful with their cards, and more importantly Chip and Pin doesn't exist for the most part abroad. Tier 1 people got caught and couldn't inform on the tier 2 guys. Tier 2 guys when caught didn't have so much contact with tier 3 guys.

Now they need to get the cashier to remove the machine, and replace it, and also collect information from the machine. I'd imagine that would put up a barrier to entry for criminals meaning that the tier 3 guys, who would be the guys with the "know-how" would need to gain access to this technology (meaning less of them). It would also mean far greater level of contact between the tiers of the pyramid. Meaning the cashier would likely now have a contact number or an location where the guy that's paying them buttons to do the dirty work could be found. And likewise the tier 2 guy (if he wasn't taken out of the equation completely) would have much more to incriminate him when his house is raided than a sheet of paper which could be far easier to hide than hacked machines.

Surely this won't cut out fraud, but it will expose the higher tier guys to more chance of being caught, and reduce the ability of people entering the thieving marketplace.

With every new financial technology there's some tweed coated university type bleating on about some new kind of fraud that's far more expensive and complicated than frauds that still work now, and trying to pass it off as a clear and present danger to the public. Remember the ridiculous outcry that keyloggers could eventually work out your security number if you log into your internet banking account 10 or however many times? Funny how it's not used by fraudsters because there's still plenty of morons happily typing their login details to fake bank servers.

Banks do have option to deter all fraud crimes

Banks do have option to deter virtually all fraud crimes simply by making signature and PIN systems reliable as proposed on website www.xwave.co.uk

Why would anyone get tempted to do identity fraud when they know that their signature personalised with their ID sticker will expose their identity? Current signature system does not even expose person's gender and so boosts identity fraud.

Why would anyone get tempted to use stolen or skimmed cards when they know that they will not be able to activate the transaction without new security code which will change to a new value after every transaction?

This system will also eliminate the need for us to protect our personal an card details since fraudsters will not be tempted to misuse these stolen details.

Organisations would make their customers personalise signatures by letting them use mobile phone size device which will capture image and activate printer to print their ID sticker virtually instantly.

This KEY and PIN system could be treated like international ID card since it will personalise signature and PIN to the right individual in any country in the world.

To make the government and banks exploit proposed system media could help by debating these systems with the public.

Xwave = Not the answer

Almost all card not present fraud is conducted outside of the UK with card details obtained within the UK.

Chip and Pin is not excessively sophisticated, but it doesn't need to be until every possible way you can you use your card is up to the same level of security.

The chain is only as strong as it's weakest link, and that weakest link is virtually every country outside of the UK.

The only way to have a real impact on card fraud just now is to by default decline every card transaction conducted outside of the UK, unless the card holder advises that they'll be using the card outside of the UK. Since banks and retailers foot the bill for fraud, and they've not decided to do that because of the collateral damage to customers who didn't know they needed to do it and got their cards declined trying to buy something then it won't happen.

At present it's in between. Banks use sophisticated systems to detect card fraud. If everybody at El Reg was to go online shopping in non-English speaking countries with a delivery address different to the one registered for the card then (I'm afraid I can only guess at the %age) a significant number would be declined at point of sale, because the banks systems would believe the card use was out of sorts for the cardholder.

@Aimee

Sadly because many of the banks customers are morons who'll type in their security details to any site masquerading as the real thing. Those wossit machines aren't to combat card fraud, they're to combat fishing emails.

Cell Phones are the answer

Why don't people understand. Things are only secure if you own them. You cannot trust a third party with unencrypted data. *you* must own the device that encrypts the transaction, or else you have no idea whether it is encrypted at all.

Cell phones *need* NFC right now, and credit card terminals should *only* except asymmetrically signed/encrypted transactions. As long as a static credit card number is all that is needed to authenticate a transaction, this will happen. And as long as you are asked to type your 'secret' pin into a machine that you do not own, this will continue to happen.

RSA Keychains and the like have been around for 20 years, and yet we still are subject to this pathetic level of security. It is bleeding infuriating.

@Xwave = Not the answer / AC

Thanks for the clarification.

I make a point of checking the certificate, but last month it was invalid, so no banking for me for 3 days.

However my bank promises to honour the transaction if I use the latest browser, have anti spam/trojan software and keep the system patched.

So why the wossit?, if I go to the wrong site, thats my fault, its a kin to blaming the car manufacturer for my speeding ticket.

Be useful if the wossit could double as a calculator, more trash in my handbag!!

@ xwave not the answer

Not a crtiique of your header (which is absolutely correct, xwave is just plain nonsense (but a good laugh that someone thought to patent it!!)) but you've a few errors in the underlying text. Card not present fraud is not mostly conducted outside the UK (well, if we take APACS figures, which admittedly underreport the problem, though not as much as some make out in my opinion).

We know a lot of copied cards are used overseas to exploit the fact that they don't need chip and PIN. We also know that CNP fraud has risen dramatically because they don't need chip and PIN. Why bother using CNP overseas when you could just walk up to a cashpoint and take the cash? It just increases the risks. So the vast majority of CNP fraud should be in the UK.

And your point @ Aimee may be their justification, to combat phishing, but it doesn't work. If I send you a phishing email (and your stupid enough to respond) if you log on to my spoofed site then you're expecting it to be the real one. So I'll have to send you a challenge so that you can enter it to your reader, enter your PIN and give me the response. So whilst you log onto my spoofed site, I'll log onto the real one to get a real challenge, to relay to you so you can give me a real response, so that I can pass it back to the real site to gain access. Then I can give you your real information (as I'm now logged on as you (and I definitely am you as I've got your valid response, so I must be you)) so you can see your live info, including the curry from last night so you're confident you're on the real site, and I'm confident I've just emptied your account (and with faster payments off it goes round the world 1000 times a day until I've laundered it enough).

Now try proving that you didn't do it :)!

I agree with you on the default decline overseas though (with a facility to unblock for specified countries when you know that you (the real you) are abroad).

Paris because she's the only one open to more abuse than the banking system.

Chip 'n' PIN was never about security anyway

Why anyone believed that Chip 'n' PIN was about "security", rather than banks weaseling their way out of wearing customer-present fraud is a mystery to me. Not for nothing was the switch known as "The Liability Shift" within the industry

Chip-and-Signature

How do I get a Chip-and-Signature card?

In the meantime, is it good enough to write "DO NOT ACCEPT THIS CARD FOR ANY CHIP AND PIN TRANSACTIONS" across my bank card using an indelible marker?

The real risk of Chip-and-PIN **isn't** sophisticated criminals doing transactions abroad -- it's street robbers demanding the PIN that goes with your card, along with your card, your mobile and any loose change (so you won't be able to report it straight away). One of the gang makes a test purchase to confirm the PIN, while the others detain you and administer any necessary punishment if the PIN was wrong.

The other risk is of someone observing a PIN being entered, surreptitiously stealing the card and then replacing it before you even notice it went missing.

But Chip and PIN was never about security; it was always about shifting liability from the banks and the retailers to the customer. The law says that if the correct PIN was entered, then the transaction is valid and the customer is liable.

@ Andrew Churchill

Yes that would work, so in reality the only safeguard is the SSL cert? or is it.

So if the Bank cannot even keep that up to date, what do we do now?

Security...?

I got to know some girls over in the Uk from the US doing a semester abroad. Atleast 6 of them got their card details stolen and used. To my knowledge i've never been a victim of card fraud. But it just seemed rediculous...in 1 week it happened 3 times and one of the girls had told her bank that she was in the Uk for the next 3 months and her card was used in las vegas or something

Paris would be better with security through obscurity :p

The PED shouldn't be trusted at all

I think one big weakness here is that the PED is inside the security boundary and therefore has to be trusted.

Regardless of whether the card details are encrypted between the PED and card it is implied that they exist, in plaintext form, in the PED. So, the PED can be attacked to get the card details in this case it's easy - just tap the wires between PED and card. However, If the info going between the PED and card was encrypted they could attack the PED itself - still possible but probably more difficult and expensive.

End-to-end encryption between the card and bank would take the PED outside the security boundary (data would be encrypted from the card right to the bank). OK, the PIN and payment amount would still need to be sent to the card from the PED but that has limited use without the card details. Better still, as someone said above, would be to put the keypad & display on the card so the PED just proxies data between card and bank.

I don't know for sure but I bet the idiots that developed this sh** system traded off security against additional card complexity (and therefore cost). By putting more "intelligence" (& therefore trust) in the PED the card becomes simpler and cheaper.