Links

Ben Laurie blathering


Chip and PIN Sucks

As everyone should know, chip and PIN reduces “fraud” by blaming everything on the customer. Obviously this had to go pear-shaped at some point, so I’m gratified to learn that rather than a steady trickle of defenceless consumers getting ripped off, which would probably lead to the usual nonsense from the banks, its Shell that have had their arse bitten and as a result have stopped doing chip and PIN.

Interestingly, I bought petrol at a Somerfield yesterday and was asked to sign instead of entering my PIN. I wonder if that was related?

6 Comments

  1. Details on the Shell problem are still hard to find, but we have tried to put together a few hypotheises in our blog post The mythical tamper-proof PIN pad?.

    Since that was posted, The Inquirer published a story with details from an inside source. Most interestingly it claims that a crook posing as an engineer picked up the terminal, defeated the tamper resistance, inserted a skimmer then returned the device. Also it said card details were used abroad, where chips are not supported so the magstripe is used. This is a well-known weak point of the system and is not likely to change any time soon.

    Comment by Steven J. Murdoch — 13 May 2006 @ 13:21

  2. Yes, they turned off chip&pin and now accept signature.

    https://www.financialcryptography.com/mt/archives/000713.html

    Comment by Iang — 13 May 2006 @ 15:54

  3. Oh, I see what you mean – “sommerfield” is a different store, not a place. Ignore my previous comment.

    Comment by Iang — 13 May 2006 @ 15:56

  4. According to this article:
    http://www.bankingtech.com/ipi/bankingtech/indextemplate.jsp?pageid=article&contentid=20017351676

    “Fraudsters stole the money by implanting skimming devices in retailer PIN pads which copy details held in the magnetic strips of credit and debit cards.”

    If I read this right, they didn’t use the chip at all, but the information on the mag stripe.

    Why do conclude that chip and pin sucks, when the chip wasn’t used?

    Comment by Bob Lord — 13 May 2006 @ 21:20

  5. a) The part that sucks is the reliance on the PIN, not the chip.

    b) It has been shown that its trivial to force a fallback to the magstripe.

    Comment by Ben — 14 May 2006 @ 6:51

  6. Some store systems are also apparently saving records of the PINs entered.

    Some stores have CCTV cameras pointed at the PIN entry machines!

    Old age pensioners can’t remember their PIN, so write them down.

    Cashiers quite often don’t even look at the cards, so a male can use a female’s card or vice versa.

    In the UK at least it is fairly easy to per over someone’s shoulder at the checkout.

    etc..

    Can’t wait for National ID cards to come in…

    🙂

    Comment by Steve — 15 May 2006 @ 9:58

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress