Thursday 8 July 2010

Credit and Debit Card’s Chip And PIN Security?

We all pretty much know how things work when it comes to information, identity, and personal security.

The good guys are always playing catch-up with the bad guys.

The other side of that coin is that the bad guys do not take long to break into the good guy’s stuff.

A lot of companies are presenting the new Chip & PIN structures now commonly found in debit and credit cards as being secure.

But just like any door and key structure (remember this post?), the bad guys are really good at finding the weakest link in the security chain. The linked post was thieves finding the weakest link in the front door lock on our own office.

Most of the following Web pages in this post came via this Bing search:

Chip and PIN

So, let’s pick one such company and its Chip & PIN statement, a Canadian bank:


6. I've heard of Chip and PIN cards being compromised, is this true?

At this time, we are not aware of the chip being compromised on any Chip and PIN cards. Any compromised issues that have arisen have been due to the magnetic stripe that is also on the card. For the time being, all RBC Chip and PIN Visa cards must also include a magnetic stripe to ensure continued acceptance everywhere (including locations that have not converted to Chip and PIN technology). Without the magnetic stripe cards could not be used at non-chip-enabled terminals. Rest assured that transactions completed with the magnetic stripe on your RBC Chip and PIN Visa card are as safe and secure as ever. RBC maintains aggressive fraud prevention practices to reduce card fraud and to ensure cardholders are protected. In addition, the Visa Zero Liability policy protects you should your card ever be compromised due to fraudulent activity. For more information about this policy, see your cardholder agreement.

The link to the above FAQ as of this writing is: Royal Bank of Canada: Chip and PIN FAQs.

With statements like the above, a debit or credit card issuer may be inclined to deny any fraudulent claims thus possibly leaving the end user with large purchase(s) against their account.

End User Liability

Ultimately, the end user needs to provide some protection against the possibility of their Chip & PIN based debit and/or credit card being compromised. So, leaving the PIN on a sticky note or piece of paper in the same purse/wallet as the card is not a good idea.

Chip & PIN Compromised

One of the pages that came up in the Bing search was a World News Network article called Customers ‘blamed for card fraud’. That WNN landing page’s title actually carried a link to a BBC News article on BBC’s site.

But, the World News Network site also had a link to a video demonstrating a Chip & PIN vulnerability. Be prepared to be shocked.

The above video is well worth watching from start to finish.

Fellow MVP Harry Johnston (Bing search) pointed to the following site in response to a question about Chip & PIN.

These are the folks responsible for the above video.

The blog post about the vulnerability published by the Cambridge group is here:

Note the link to a working draft of a research paper on this particular vulnerability is also to be found there.

The Need For Caution

The need to protect our personal identity and financial situation ultimately resides with us. Knowing what is out there in the way of threats to our financial or personal situation is a part of protecting them. Granted, we may never know all of the ways, but we can do our best to mitigate the risk.

So, logging in daily to keep an eye on our online banking reports, online credit card accounts, and other such services is important. We need to know if there are any fraudulent transactions as soon as possible so that we can address them with the bank or card issuer.

Also, paying attention to the folks running the payment terminals where we make our purchases and not allowing anyone to take the card out of our sight are two ways that can also help to mitigate the risk.

Philip Elder
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

No comments: