Shell Suspends Chip & Pin in the UK
According to the BBC:
Petrol giant Shell has suspended chip-and-pin payments in 600 UK petrol stations after more than £1m was siphoned out of customers’ accounts.
This is just sad:
“These Pin pads are supposed to be tamper resistant, they are supposed to shut down, so that has obviously failed,” said Apacs spokeswoman Sandra Quinn.
She said Apacs was confident the problem was specific to Shell and not a systemic issue.
A Shell spokeswoman said: “Shell’s chip-and-pin solution is fully accredited and complies with all relevant industry standards.
That spokesperson simply can’t conceive of the fact that those “relevant industry standards” were written by those trying to sell the technology, and might possibly not be enough to ensure security.
And this is just after APACS (that’s the Association of Payment Clearing Services, by the way) reported that chip-and-pin technology reduced fraud by 13%.
Good commentary here. See also this article. Here’s a chip-and-pin FAQ from February.
EDITED TO ADD (5/8): Arrests have been made. And details emerge:
The scam works by criminals implanting devices into chip and pin machines which can copy a bank card’s magnetic strip and record a person’s pin number.
The device cannot copy the chip, which means any fake card can only be used in machines where chip and pin is not implemented – often abroad.
This is a common attack, one that I talk about in Beyond Fear: falling back to a less secure system. The attackers made use of the fact that there is a less secure system that is running parallel to the chip-and-pin system. Clever.
Moz • May 8, 2006 1:47 PM
Interestingly it’s not a chip and pin specific vulnerability; any system which just uses a magnetic card and a pin is vulnerable. It’s funny that they didn’t turn off the use of mag-strip and PIN and that they made the mag strip go on the same card as the chip. Why not just force signatures?
Note also that Apacs lied or are totally incompetent. If they could “confident” (not “fairly sure” or “expect that”) that this was a shell specific when it wasn’t then they clearly have no understanding of the system they are running.