Petrol giant Shell has suspended chip-and-pin payments at 600 petrol stations across the UK after over Â£1m was siphoned from customer accounts (sorry about the pun there). Although Apacs (the Association of Payment Clearing Services) said it was related to just one petrol chain, BP is also looking into card fraud at petrol stations in Worcestershire. We don’t know at this stage if the alleged fraud at BP is chip and pin related, but after the February 14th Changeover to chip and pin only the chances of it being so are quite high. Chip and Pin was brought into the UK as a means of
providing greater security measures for consumers passing the responsibility and accountability for security onto consumers and away from the card companies. The UK’s implementation is fundamentally flawed for three reasons:
- Chip and Pin seems to only involve the ‘pin’ element for most people’s day to day transactions.
- Chip and Pin isn’t used online, and the card details can still be obtained from the card itself.
- Most Chip and Pin readers in the EU have practical covers over the keypad, ensuring people can’t see what you’re typing. The UK readers don’t have this.
You see, a fundamental part of chip and pin security is based on the idea that you replace something you have (a signature) with something you know (pin) as authentication. In theory only you know the PIN therefore it’s all good. Meanwhile, back in the real world despite the fact that we have chips on the cards good old-fashioned magnetic stripes provide all the info you’d ever need to take things on-line. The reason for this is that there are plenty of places that don’t actually use chip and pin yet, despite the changeover, and I know of at least one bank and several building societies whose hole in the wall ATMs still rely upon the magnetic stripe.
Using a magnetic stripe reader and writer it’s quite easy to pull the data off the cards. This is known as ’skimming’ and is nothing new. You probably think this is quite difficult to do, but any idiot with a makstripe reader/writer and a copy of Windows can do it.
For the record, any idiot with Linux and a tape head can do it too, but that’s another post.
I wonder if the people who’ve had money stolen from their accounts will be refunded, or will the banks stick to the “Chip & Pin is infallible, if your money is stolen it’s not our liability” line.
Update: I’ve done some more reading up on Chip and Pin and quite frankly it’s terrifying. You can catch a more detailed post on Chip and Pin here.
Note for BoingBoing Readers: Thanks for visiting! If this is your first time please check out the rest of the site. In particular, you might want to check out some of the other posts here, like the 80s gaming adverts, Anti-Monopoly, Vancouver Aquarium’s Orwellian Moment, Tours you don’t see on Expedia, Thoughts from the Interview room and how to get a job in a Pen Test Team and the Many other magical things to see.