CHIP AND PIN

A fatal flaw in the chip and PIN technology that is supposed to guarantee the security of millions of credit and debit cards has been identified by scientists. The loophole means stolen cards can be used in shop terminals and bank cash machines without being identified. In theory, thieves would be able to make purchases and cash withdrawals without needing to key in the four digit PIN or being detected. Professor Ross Anderson, from the Cambridge University Computer Lab, has uncovered a number of ways in which the system can be beaten. However, he claims the latest discovery is shocking in its simplicity.

Prof Anderson claims the banks may now need to rewrite the security software around the entire chip and PIN system in order to make it fully secure. The researchers discovered that a small circuit board containing a computer chip and transmitter can be attached to the chip on the plastic card and concealed up the sleeve. This communicates with a computer stored in a backpack worn by the criminal when using the card at a till or cash machine. When the user is asked for the four digit PIN to authorise the transaction, they only need to key in a random code.

The software attached to the card then signals to the till terminal that a correct PIN has been used. Details of the flaw were revealed on BBC's Newsnight programme. It showed how four different cards could be authorised for purchases in a Cambridge University canteen by using a fake PIN of 0000. Consumer lawyer, Stephen Mason, told the programme, "The loopholes in the chip and PIN system are serious and I don't think they have been properlyaddressed by the banks. They really have to think about this seriously."

The introduction of chip and PIN brought with it a greater risk that victims of card fraud would have to carry the cost of any losses. Some banks have refused to refund losses where they argued consumers had been careless with their cards or failed to keep their PIN a secret. Prof Anderson added, "The banks have been lying about the security of their systems and the industry regulators have been completely gullible." But the banks trade body, the UK Cards Association, denied the discovery was serious. It said, "We believe that this complicated method will never present a real threat to our customers cards. (Source: Daily Mail, Feb/10)

One in five people using the new chip and pin credit and debit cards is still signing for goods rather than using a pin number. Retailers can refuse to accept signatures if the customer has a chip and pin card. According to research by card provider Visa, 20% of people are not using their pin because they haven't memorised it.

Some shoppers blamed lack of enthusiasm from shop staff, while others said the new system made them nervous. Evidence suggests there are also some cardholders who are not using the new facility because they do not believe their banks have told them how to. Three in five cardholders now have a chip and pin card, a new payment system aimed at combating card fraud.

Chip and pin cards include a "smart" chip, a better way of storing information than the existing magnetic strips and when shoppers pay with a chip and pin card, they are asked to enter a four-digit number instead of signing a receipt. The aim is to switch all UK cards to chip and pin by the end of 2005.

A leading security expert warned that new chip and pin cards could be open to fraud. Professor Ross Anderson, from Cambridge University, said criminals will be able to capture card and pin data to "make up" forged cards but the banking industry rejected his concerns and said the system is extremely robust.

Mr Anderson said, "The sort of thing that I expect to go wrong is that villains will set up in business with equipment that will capture customer pins. Now we're all being trained to use our pins at the point of sale it's a simple matter to set up a market stall and capture card and pin data. They can make up forged cards and use them, for example, at cash machines."

But Sandra Quinn, who represents banks and retailers on chip and pin cards, disagreed saying, "We don't think they can use fake machines because the machines themselves are engineered to read the chip so they must be reading the chip very carefully. That makes the transaction itself extremely secure." (Source: BBC News)

Concerns are growing that the introduction of chip and cin is causing serious problems for many thousands of people, including those who have been forced to adapt now that the Government has scrapped benefit books in favour of payments directly into bank accounts. But most vulnerable by far are older people who could previously cope with signing a payment slip, but simply cannot remember their Pin when they are in shops or post offices.

David Sinclair at Help the Aged said, "There are about 750,000 victims of low-level dementia who will struggle to use chip and cin. We have come across some appalling cases where customers have been forced to leave their shopping behind because they could not remember their Pin. We have even heard of post offices that keep a list behind the counter of all the Pin numbers of their regular customers."

Help the Aged is angered by the fact that there is an alternative, but it says the banks don't want people to know about it. People unable to cope with chip and cin can ask for 'chip and signature' cards that do not require the user to remember a four-digit number. "We would like to see an amendment to the banking code to force banks to offer information on chip and signature," he said.

The Post Office has also been criticised because of the apparent inflexibility of its card account, which does not offer a signature as an alternative to a Pin. The Government stopped paying benefits such as pensions and child benefit via post office benefit books and started payments via bank accounts from April 2003. Many customers who want to continue collecting their benefits from their PO now rely on an account that is operated using a chip and pin card.

Ruth Barker at the Post Office says the organisation has consulted special interest groups such as the Disability Rights Commission to make keypads easier to use. She said, "We train counter staff fully at all branches on how to help people with the chip and pin machines and the majority of customers are very happy with the new system."

She added, "If ever the card cannot be used, for example when the wrong Pin has been entered accidentally, we are able to make emergency payments of £20 a day without the card to regular customers who are known at the branch. We are doing everything we can to ensure that people will be helped to use Pin pads successfully, but those who really cannot use Pin pads will not be expected to do so." (Source: Mail on Sunday)

Crime gangs have cracked the chip and pin system, leaving millions of bank accounts at risk of being plundered. Banks and customers are powerless to prevent the thieves helping themselves to their cash. Thousands of accounts have already been hit by the crooks, who are stealing codes from card readers at shop checkouts. Anyone who uses a chip and pin card to pay for their shopping is a potential target. Gangs are hiding devices inside card readers to reveal customers’ pin numbers.

These are emailed across the world and used to clone a new card, which is then utilised to empty the victims’ bank accounts. Andrew Goodwill, of fraud monitoring firm 3rd Man Group, said, “There is absolutely nothing anyone can do about it. The devices look no different to those that haven’t been tampered with.” The scam was revealed after a police raid in Birmingham uncovered stolen chip and pin terminals, account numbers and counterfeit magnetic stripe cards.

The Dedicated Cheque and Plastic Crime Unit, which uncovered the fraud, warned, “It should be noted that the criminals have overcome the security features of several different manufacturers.” Officers investigating the highly organised gang with international links have already uncovered at least 100 compromised machines. Mr Goodwill added, “If people want to be sure fraudsters won’t get hold of their data they shouldn’t use their debit or credit cards.”

The security breach has been an open secret in the industry but operating chiefs have tried to keep it quiet to avoid spreading panic. Sandra Quinn, of the payments association Apacs, said, “They steal readers from retailers, cracking them open, and try to recreate one and then put it back in a shop. We have been aware that this has been going on because police have been getting reports that terminals are being stolen.”

Shop owners said the scam could see a return to cash. The Federation of Small Businesses said, “Plastic is very popular but now we could see a return in the popularity of cash, which has been in decline.” When chip and pin was made compulsory in 2006, the industry said it would slash credit card fraud. The Financial Ombudsman Service receives around 100 cases a month about disputed withdrawals. (Source: Daily Express, Aug/08)