Online credit card fraud is always making the headlines. We read something about in the media almost daily. The online charity appeal for Haiti is a prime example, with cases of banks not authorizing online donations made by some first time donators. http://news.bbc.co.uk/1/hi/business/8463286.stm
According to industry statistics, online fraud costs the average person around £600 per annum – which is pretty shocking! As a result of some high-profile fraud cases, an initiative, known as PCI DSS, has been introduced by the credit card industry to ensure that all online merchants are trading securely and protecting consumer data.
In the States, it is illegal not to comply with PCI DSS standards and even though it is not yet law in the UK, the penalties are pretty severe if you are found to be running a business that is in breach of these standards.
What does this have to do with chip and pin I hear you ask? Well I’ll tell you. It was revealed by a bunch of computer scientists on Newsnight last Wednesday (10th Feb), that the trusted chip and pin technology may not be as secure as we might think. Indeed, they’ve suggested it’s so full of flaws that the entire chip and pin system should be re-written!
A couple of years ago, these same computer scientists revealed how criminals were able tap into the communications between a pin terminal and a customer’s card and read off sufficient information to create a clone card. (Something that has happened to me).
These techies have spent hours hidden away in their laboratory trying to find flaws in chip and pin technology and they’ve found a loop hole in the whole system so glaringly obvious it has shocked even them. They’ve found a way to carry out transactions without needing to know a card’s pin.
So how does it work?
Apparently it’s really simple – all a potential thief would need to do is put a stolen credit card into a ‘bog standard’ card reader (something easily obtainable) that’s hidden away (perhaps in a rucksack?). This card would then communicate with a chip that’s running software written by the thieves and controlled from a laptop. The card information could then be hooked up to a fake card, which slots into an actual terminal in a shop.
The process takes advantage of a flaw in the existing chip and pin system and it makes the terminal think that the correct pin has been entered and that the transaction has been authorized with a signature.
The scientists’ theory was put to the test by a Newsnight reporter and his team. They were given permission to try to make fraudulent payments in one of Cambridge University’s cafeterias and they used four different cards to prove the theory. They bought goods with all four cards, using “0000” as the pin number each time. In each instance the chip and pin machine’s print out stated that the purchases had been “verified by pin”
Granted – these attacks were part of a computer science experiment but the technology that was used to commit the fraud is not rocket science. All you need is for one clever criminal to build a portable device that would enable people to carry out these types of attacks and sell it on the Internet – and this kind of thing happens already.
The laws governing credit card transactions changed in November last year and now the onus is on the banks to prove that a customer has been negligent in the event of a dispute, which is why everyone is taking PCI DSS so seriously – the repercussions are pretty severe if you don’t.
It is fair to say that chip and pin technology has eliminated face to face fraud – but if something is not done about this fundamental flaw in the overall infrastructure that sits behind chip and pin technology, then no one’s card details are safe. It seems to me that a cashless society is still very much a long way off.
Visit our website to find out more about who we are and what we do
Tags: chip and pin, online fraud, PCI DSS