Chip and pin: false sense of security?
10 May 2006Last weekend, one of the first cases of fraud involving “chip and pin” payment cards was reported to have forced Shell to suspend the system at its petrol stations.
A brief background to chip and pin: originally, all credit and debit cards carried information on a magnetic strip, and to make a payment, the cardholder had to sign the till receipt, which the cashier was then meant to check against the signature on the back of the card. Chip and pin is supposed to increase security two fold: information is stored in a microchip on the front of the card, which is harder to duplicate; and the cardholder must enter his or her four-digit personal identification number (PIN) to authorise the transaction, instead of signing.
When the system was introduced, I realised that the new system was only as secure as the PIN. If someone discovers the PIN, for example by watching the cardholder at the supermarket checkout, they can then use the card if they manage to steal it, and don’t even need to be good at forging signatures.
This latest fraud seemingly involves keypads in the petrol stations that have been tampered with so that they record the details of the magnetic strip – a form of fraud that has been around for a long time. The difference is that now the fraudsters are also able to record the PIN as it is entered. The information from the magnetic strip is used to make a clone card, which is then used to withdraw money from cash machines. Apparently, cash machines still read the strip instead of the chip as they haven’t been upgraded yet – presumably to reduce the banks’ costs. As the PIN used at the cash machine is the same as the one used for chip and pin, there is no barrier to withdrawing cash up to the cardholder’s limit.
Hopefully, the cash machines will eventually be replaced. But by then, maybe the criminals will have figured out how to read and reproduce the microchips. In the meantime, all the hapless cardholder can do is to be sure to shield the keypad when entering the PIN, and to check account balances and statements regularly. Alternatively, we could all go back to cash.