May 16, 2006

Is Chip and PIN much less secure than we thought?

Several people have asked me about the chip and PIN fraud announced in the last few days in the UK. The press has put out some pretty scary headlines that seem to imply that chip cards are much less secure than everyone thought:

Are fraudsters winning numbers game? Chip and pin was supposed to be the ultimate in security, but with the first major scam exposed, Sarah Freeman asks can our identities ever really be safe? (Yorkshire Today)

UK banks rocked by £1 million Chip & PIN card cloning fraud. The UK banking industry's massive investment in Chip & PIN payment cards has been brought into question after fraudsters stole more than £1 million from customers by implanting skimming devices in retailer PIN pads. (Finextra)

Chip and Pin scam is spreading. More serious flaws have been exposed in the chip and Pin system supposed to protect credit and debit card users from fraud. (This is Money)

As it turns out, the fraudsters are using old-school skimming devices to capture magnetic stripe details and PIN numbers, and creating cloned magnetic stripe cards that are then used to withdraw cash and pay for goods at machines where the chip is not read, mostly outside the UK.

Chip and PIN, otherwise known as EMV everywhere else, pushes fraud away to other parts of the world, precisely what happened in Thailand after Malaysia moved to chip. The fraud liability then falls on the acquirer or ATM operator whose systems have not been upgraded. This is the domino effect which is already causing faster and faster EMV migration across the globe.

The Guardian’s version of the story is right on the mark:
Chip and pin pushes card fraud abroad. "Chip and pin is so effective in this country that fraudsters are starting to move their activities overseas," said Emile Abu-Shakra, spokesman for Lloyds TSB. (Guardian)


Sausheong said...

I think in this case, the EMV technology is not the problem, but it's an unexpected side-effect of using EMV with PIN. Previously PINs were only expected at ATM machines, and ATM machines were of higher security. The pinpads at places like a petrol kiosk has much lower security and is therefore more vulnerable for tampering. At the same time consumers are expected to key in their PINs at the terminals, this presented a very good opportunity for fraudster to try their luck. The fact that they were caught so easily doesn't speak much for their intelligence though.

This seems like an operational issue with the implementation of Chip and Pin, though not of EMV chip technology itself. At the same time I wonder why this has not occurred in Singapore where hundreds of thousands of people merrily key in their PINs into keypads for the NETS direct debit cards every day for more than ten years now?

Citizen Dave said...

It's interesting that each of the three newspapers stories you use as examples highlight media ignorance in different ways. It wasn't a "chip and PIN' fraud, it was a PIN fraud. Cards weren't "cloned" they were counterfeited and cardholders and merchants didn't lose any money, the issuing banks did.

Aneace Haddad said...

The 3 news articles at the beginning of my post were very easy to find. Most articles came at the issue from the same angle, implying that something with the chip was broken. The last article I mention at the end was much more level headed, and much harder to find. Unfortunately, the media gets excited about all the wrong things and doesn't look deep enough into what is really going on.