Skip to content


Shell stops accepting Chip and Pin in Fraud Fiasco, BP to follow?

Petrol giant Shell has suspended chip-and-pin payments at 600 petrol stations across the UK after over £1m was siphoned from customer accounts (sorry about the pun there). Although Apacs (the Association of Payment Clearing Services) said it was related to just one petrol chain, BP is also looking into card fraud at petrol stations in Worcestershire. We don’t know at this stage if the alleged fraud at BP is chip and pin related, but after the February 14th Changeover to chip and pin only the chances of it being so are quite high. Chip and Pin was brought into the UK as a means of providing greater security measures for consumers passing the responsibility and accountability for security onto consumers and away from the card companies. The UK’s implementation is fundamentally flawed for three reasons:

  1. Chip and Pin seems to only involve the ‘pin’ element for most people’s day to day transactions.
  2. Chip and Pin isn’t used online, and the card details can still be obtained from the card itself.
  3. Most Chip and Pin readers in the EU have practical covers over the keypad, ensuring people can’t see what you’re typing. The UK readers don’t have this.

You see, a fundamental part of chip and pin security is based on the idea that you replace something you have (a signature) with something you know (pin) as authentication. In theory only you know the PIN therefore it’s all good. Meanwhile, back in the real world despite the fact that we have chips on the cards good old-fashioned magnetic stripes provide all the info you’d ever need to take things on-line. The reason for this is that there are plenty of places that don’t actually use chip and pin yet, despite the changeover, and I know of at least one bank and several building societies whose hole in the wall ATMs still rely upon the magnetic stripe.
Using a magnetic stripe reader and writer it’s quite easy to pull the data off the cards. This is known as ’skimming’ and is nothing new. You probably think this is quite difficult to do, but any idiot with a makstripe reader/writer and a copy of Windows can do it.

For the record, any idiot with Linux and a tape head can do it too, but that’s another post.

I wonder if the people who’ve had money stolen from their accounts will be refunded, or will the banks stick to the “Chip & Pin is infallible, if your money is stolen it’s not our liability” line.

Update: I’ve done some more reading up on Chip and Pin and quite frankly it’s terrifying. You can catch a more detailed post on Chip and Pin here.

Note for BoingBoing Readers: Thanks for visiting! If this is your first time please check out the rest of the site. In particular, you might want to check out some of the other posts here, like the 80s gaming adverts, Anti-Monopoly, Vancouver Aquarium’s Orwellian Moment, Tours you don’t see on Expedia, Thoughts from the Interview room and how to get a job in a Pen Test Team and the Many other magical things to see.

Share

Posted in Business, News, Security.


18 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. Ian Nock says

    The snakeoil is in the signature – signatures are NO protection against fraud as they are too hard to copy to the standards required by the average store/station/shop person – most do not look, and those that do can be fooled very easily. The article here talks about the fraud implemented on PIN but does not compare the degree of fraud with PIN with that which is done using the ’secure’ signature approach. PIN does not stop fraud, just reduces it.

    I would agree thought that PIN implementation in the UK is poor because of bizarre rules in each store. The lack of a cover is one issue, the other being the storepersons taking the card from you to be read behind the till because of some completely obscure reason even though there is a reader in front of you for entering the PIN – you should never let the card leave your hand. Big stores do this in the UK – like Tescos and most Petrol Stations.

  2. steve says

    Ian, I think you’re absolutely right on the number when it comes to the wacky rules stores have. Whether this is people reading the PIN as it’s read in or something else is still uncertain, but we’ll (hopefully) know in time.

    Whilst it is arguable that chip and pin is better than plain swipe cards, the fact is that there’s enough info on the card itself (both visually and on the magstripe) to pull enough info off to make an on-line purchase (less so in cases where the CV2 number isn’t on the magstripe but still doable where CV2 isn’t required). In fact I have a magstripe reader here, if there’s enough demand for it I’ll post a step by step walkthrough of how card skimming works.

  3. Michel Poulain says

    Here, in France, we’ve using the chip cards since the 70’s (mainly because the inventor is french).

    As there was many frauds, the magnetic stripe is not use since the 80’s and only the chip-and-pin part of credit cards is used. But there is still magnetic readers as all the foreign cards use the magnetic stipe part.

    When I go abroad, I’m scared using my card. Nobody’s asking me for my pin, only for signature. And everybody can reproduce it, as it’s in the back of my card!!!

    French cards don’t use magnetic part as there were cases of frauds, with pirate’s magnetic reader on top of real ATM card slot. Using camera, pirates were able to read the card number and the PIN code.

    But there is still no cause of succesful fraud using chip since 30 years we’re using them. The magnetic stripe should be drop for real, as it provide a ZERO security on chip-and-pin cards.

  4. anon says

    The PINs are not being obtained by external observation (i.e. camera), so would not be solved by a big plastic shroud.

    The problem is that one manufacturer’s pinpads were being internally compromised WITHOUT triggering the Tamper Detect feature (required to get EMV type approval) which should render the device inoperable. Extra electronics was added to the inside of the pinpad, snooping on the device’s keypad and recording the PIN. The mag stripe data was obtained somehow (sleight of hand to use a traditional skimmer probably), then the theives could make clone cards and use them at cash machines in the UK and abroad.

    Some pinpads are better than others (completely potted circuitry and more effective Tamper sensors), though.

  5. x says

    hey can you stick a few more ads in here? i can still read the article text.

  6. steve says

    x – have a read of this post on adsense alternatives and you’ll see that I’m playing with the ads at the moment. Sure, there are plenty of them around but if you don’t like them please feel free to use a Firefox extension like adblock to take care of them.

  7. Martinb says

    The liability isn’t shifted to the consumer, but to the retailer *if they don’t have Chip&PIN*. In this case, if Shell have an accredited solution, the card schemes (VISA/Mastercard/AMEX) are ultimately liable.

    Also, many retailers *do* have shields for the PIN pads.

    Do please do your research. You’re reacting to a badly reported scare story.

    Also, your logic is faulty – the problem is the C&P cards still have magstripes. It’s the magstripe that’s a weak link, and yes, those details can still be skimmed and used in non C&P environments. In no way is this a weakness of C&P.

  8. Richard says

    There are so many different kinds of keypads, how do you know the one you’re entering your PIN into is legitimate?

    Some keypads also contain a magnetic stripe reader as part of the pad. This means that they keypad now has enough information to clone the card.

    I did ask my bank about this as soon as I first saw such a device with both keypad and stripe reader, but they just shrugged it off.

    I’m not surprised this has happened.

  9. steve says

    Martinb – I use SouthWest Trains to head into London most mornings, the pads at the train station are directly facing the queue and the shield is tiny and doesn’t cover the pad. The wireless chip and pin at the restaurant I went to (and bar later) – no shield, the waiter/barman can see what I put in.

    According to anon’s post earlier, this was a dodgy C&P device that didn’t shut down – if this is the case then it’s definately a weakness of C&P isn’t it?

    As I’ve said, my main sources of grief with C&P cards is that it doesn’t matter because we still use magstripes and that we use the same pin used for cash withdrawals as a replacement for the signature.

  10. Dan Soderholm says

    In the UK, most petrol stations don’t actually require PIN codes or signatures if you buy at the pump. The pump has an automated payment system where you put in your card in advance and it allows you to charge up to £60 of petrol onto it without any kind of owner verification – which, of course, is a great way to use stolen credit cards (you’d probably get a few hundred pounds’ worth of petrol from several stations before a card was blocked). I’d imagine this is even more of a problem in Northern Ireland, where illegally imported and distributed fuel is a major source of revenue for organised crime.

  11. skippy says

    The Petrol pumps at tesco just ask you to place the card in the reader,

    however i would hope the CCTV camera has got my reg number, and a good shot of me, before i am let the maximum of £60 of fule the thing will let me have out at any one time,

    I know that this is not secured against the card, but i hope the Audit trail is large enouth to prove it wasnt me filling up someone elses car

  12. otto says

    C&P is good but only for physical point of sale and only if everyone uses it everywhere. The issue is that you are still vulnerable to having the mag stripe skimmed or the number used, for instance online (ie card not present which is growinga at over 20% per annum in the UK). There is a really simple and cheap system in use in Hungary for over five years (and now in Spain, Italy, South Africa, etc.) that has cut fraud for the bank that uses it to less than one twentieth of the UK and it works in ‘real time’ whatever the form of the fraud. Basically what happens is the bank sends you a text message whenever your card is used (if it is you doing the transaction you just ignore it) if it is not you using the card (ie it is fraud) you reply ‘blk’ and the bank then blocks the card thereby immediately shutting the fraud down. There is a company called SpectrumMessage that offers it (MoneyGUARD) in the UK but none of the UK banks have adopted it yet … maybe they will now …

  13. dancing_pretzel says

    “The wireless chip and pin at the restaurant I went to (and bar later) – no shield, the waiter/barman can see what I put in.”

    This is why ATM (no chip-and-pin here) machines in Canada have large decals urging you to “cover your PIN” with your other hand as you enter it. The user is reminded that they are responsible for not exposing their secret code, just like they are responsible for not telling it to others or writing it on their card. It’s not unreasonable to expect due caution.

    As for the argument that chip-and-pin is less effective than mag stripe because fraud still happens…fraud is always two steps ahead of slow, expensive technology. Chip-and-pin has cut down straight counterfeit fraud (mag stripe) drastically.

    Sorry to sound touchy about it, but I do work in the field and feel the need to stop misinformation from spreading.

Continuing the Discussion

  1. Boing Boing linked to this post on May 7, 2006

    Shell UK abandons chip-and-pin after £1M fraud…

    Snakeoil Steve sez, “After being repeatedly lied to^H^H^H^H^H^H^Htold by banks and lenders across the UK that Chip and Pin is safe to use and provides better security (it doesn’t, it just shifts financial liability for loss to the consumer instead of…

  2. TechnoPrimitive » Blog Archive » SnakeOil Labs » Shell stops accepting Chip and Pin in Fraud Fiasco, BP to follow? linked to this post on May 7, 2006

    [...] SnakeOil Labs » Shell stops accepting Chip and Pin in Fraud Fiasco, BP to follow? [...]

  3. Skippy.org.uk » Chippy Pin, and Good? linked to this post on May 7, 2006

    [...] Fraud using the new Fraud free chip and pin system, SnakeOil Labs have writen in more detail on there post on the topic, [...]

  4. SnakeOil Labs » More info on Chip & Pin issues linked to this post on May 7, 2006

    [...] Previous: Shell stops accepting Chip and Pin in Fraud Fiasco, BP to follow? | Next: [...]

  5. Chip & Pin Fraud at david’s blog linked to this post on May 7, 2006

    [...] I spotted this via BoingBoing: Shell stops accepting chip and pin in fraud fiasco [...]



Some HTML is OK

or, reply to this post via trackback.