Entries Tagged "chip and pin"

Page 2 of 2

Chip and PIN Vulnerable

This both is and isn’t news. In the security world, we knew that replacing credit card signatures with chip and PIN created new vulnerabilities. In this paper (see also the press release and FAQ), researchers demonstrated some pretty basic attacks against the system — one using a paper clip, a needle, and a small recording device. This BBC article is a good summary of the research.

And also, there’s also this leaked chip and PIN report from APACS, the UK trade association that has been pushing chip and PIN.

Posted on March 12, 2008 at 2:12 PMView Comments

Shell Suspends Chip & Pin in the UK

According to the BBC:

Petrol giant Shell has suspended chip-and-pin payments in 600 UK petrol stations after more than £1m was siphoned out of customers’ accounts.

This is just sad:

“These Pin pads are supposed to be tamper resistant, they are supposed to shut down, so that has obviously failed,” said Apacs spokeswoman Sandra Quinn.

She said Apacs was confident the problem was specific to Shell and not a systemic issue.

A Shell spokeswoman said: “Shell’s chip-and-pin solution is fully accredited and complies with all relevant industry standards.

That spokesperson simply can’t conceive of the fact that those “relevant industry standards” were written by those trying to sell the technology, and might possibly not be enough to ensure security.

And this is just after APACS (that’s the Association of Payment Clearing Services, by the way) reported that chip-and-pin technology reduced fraud by 13%.

Good commentary here. See also this article. Here’s a chip-and-pin FAQ from February.

EDITED TO ADD (5/8): Arrests have been made. And details emerge:

The scam works by criminals implanting devices into chip and pin machines which can copy a bank card’s magnetic strip and record a person’s pin number.

The device cannot copy the chip, which means any fake card can only be used in machines where chip and pin is not implemented – often abroad.

This is a common attack, one that I talk about in Beyond Fear: falling back to a less secure system. The attackers made use of the fact that there is a less secure system that is running parallel to the chip-and-pin system. Clever.

Posted on May 8, 2006 at 12:41 PMView Comments

ID Cards and ID Fraud

Unforeseen security effects of weak ID cards:

It can even be argued that the introduction of the photocard licence has encouraged ID fraud. It has been relatively easy for fraudsters to obtain a licence, but because it looks and feels like ‘photo ID’, it is far more readily accepted as proof of identity than the paper licence is, and can therefore be used directly as an ID document or to support the establishment of stronger fraudulent ID, particularly in countries familiar with ID cards in this format, but perhaps unfamiliar with the relative strengths of British ID documents.

During the Commons ID card debates this kind of process was described by Tory MP Patrick Mercer, drawing on his experience as a soldier in Northern Ireland, where photo driving licences were first introduced as an anti-terror measure. This “quasi-identity card… I think—had a converse effect to that which the Government sought… anybody who had such a card or driving licence on their person had a pass, which, if shown to police or soldiers, gave them free passage. So, it had precisely the opposite effect to that which was intended.”

Effectively – as security experts frequently point out – apparently stronger ID can have a negative effect in that it means that the people responsible for checking it become more likely to accept it as conclusive, and less likely to consider the individual bearing it in any detail. A similar effect has been observed following the introduction of chip and PIN credit cards, where ownership of the card and knowledge of the PIN is now almost always viewed as conclusive.

Posted on December 30, 2005 at 1:51 PMView Comments

Identity Cards Don't Help

Emily Finch, of the University of East Anglia, has researched criminals and how they adapt their fraud techniques to identity cards, especially the “chip and PIN” system that is currently being adapted in the UK. Her analysis: the security measures don’t help:

“There are various strategies that fraudsters use to get around the pin problem,” she said. “One of the things that is very clear is that it is a difficult matter for a fraudster to get hold of somebody’s card and then find out the pin.

“So the focus has been changed to finding the pin first, which is very, very easy if you are prepared to break social convention and look when people type the number in at the point of sale.”

Reliance in the technology actually reduces security, because people stop paying attention:

“One of the things we found quite alarming was how much the human element has been taken out of point-of-sale transactions,” Dr Finch said. “Point-of-sale staff are told to look away when people put their pin number in; so they don’t check at all.”

[…]

Some strategies relied on trust. Another fraudster trick was to produce a stolen card and pretend to misremember the number and search for it on a piece of paper.

Imagine, she said, someone searching for a piece of paper and saying, “Oh yes, that’s my signature”; there would be instant suspicion.

But there was utter trust in the new technology to pick up a fraudulent transaction, and criminals exploited this trust to get around the problem of having to enter a pin number.

“You go in, you put the card in, you type any number because you don’t know what it is. It won’t go through. The fraudster — because fraudsters are so good with people — says, ‘Oh, it’s no good, I haven’t got the hang of this yet. I could have sworn that was my number… I’ve probably got it confused with my other card.’

“They chat for a bit. The sales assistant, who is either disinterested or sympathetic, falls back on the old system, and swipes the card through.

“Because a relationship of empathy has already been established, and because they have already become accustomed to averting their gaze when people put pin numbers in, they don’t check the signature at all.

“So fraud is actually easier. There is very little vigilance at the point of sale any more. Fraudsters know this and they are taking advantage of it.”

I’ve been saying this kind of thing for a while, and it’s nice to read about some research that backs it up.

Other articles on the research are here, here, and here.

Posted on September 6, 2005 at 4:07 PMView Comments

Easy-to-Remember PINs

The UK is switching to a “chip and pin” system for credit card transactions. It’s been happening slowly, but by January (I’m not sure if it is the beginning of January or the end), every UK credit card will be a smart card.

This kind of system already exists in France and elsewhere. The cards have embedded chips. When you want to make a purchase, you stick your card in a slot and type your four-digit PIN on a keypad. (Presumably they will never turn off the magnetic stripe and signature system required for U.S. cards.)

One consumer fear over this process is about what happens if you forget your PIN. To allay fears, credit card companies have been placing newspaper advertisements suggesting that people change their PINs to an easy-to-remember number:

Keep forgetting your PIN?
It’s easy to change with chip and PIN.
To something more memorable like a birthday or your lucky numbers.

Don’t the credit card companies have anyone working on security?

The ad also goes on to say that you can change your PIN by phone, which has its own set of problems.

(I know that the cite I give doesn’t quote a primary source, but I also received the information from at least two readers, and one of them said that the advertisement was printed in the London Times.)

Posted on January 3, 2005 at 10:36 AMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.