We all pretty much know how things work when it comes to information, identity, and personal security.
The good guys are always playing catch-up with the bad guys.
The other side of that coin is that the bad guys do not take long to break into the good guy’s stuff.
A lot of companies are presenting the new Chip & PIN structures now commonly found in debit and credit cards as being secure.
But just like any door and key structure (remember this post?), the bad guys are really good at finding the weakest link in the security chain. The linked post was thieves finding the weakest link in the front door lock on our own office.
Most of the following Web pages in this post came via this Bing search:
Chip and PIN
So, let’s pick one such company and its Chip & PIN statement, a Canadian bank:
6. I've heard of Chip and PIN cards being compromised, is this true?
At this time, we are not aware of the chip being compromised on any Chip and PIN cards. Any compromised issues that have arisen have been due to the magnetic stripe that is also on the card. For the time being, all RBC Chip and PIN Visa cards must also include a magnetic stripe to ensure continued acceptance everywhere (including locations that have not converted to Chip and PIN technology). Without the magnetic stripe cards could not be used at non-chip-enabled terminals. Rest assured that transactions completed with the magnetic stripe on your RBC Chip and PIN Visa card are as safe and secure as ever. RBC maintains aggressive fraud prevention practices to reduce card fraud and to ensure cardholders are protected. In addition, the Visa Zero Liability policy protects you should your card ever be compromised due to fraudulent activity. For more information about this policy, see your cardholder agreement.
The link to the above FAQ as of this writing is: Royal Bank of Canada: Chip and PIN FAQs.
With statements like the above, a debit or credit card issuer may be inclined to deny any fraudulent claims thus possibly leaving the end user with large purchase(s) against their account.
- Telegraph.co.uk: Chip and pin scam 'has netted millions from British shoppers'
- Note the article’s publication date: 2008!
- The bad guys somehow got their hands on pre/post production payment units before they reached the merchants.
End User Liability
Ultimately, the end user needs to provide some protection against the possibility of their Chip & PIN based debit and/or credit card being compromised. So, leaving the PIN on a sticky note or piece of paper in the same purse/wallet as the card is not a good idea.
Chip & PIN Compromised
One of the pages that came up in the Bing search was a World News Network article called Customers ‘blamed for card fraud’. That WNN landing page’s title actually carried a link to a BBC News article on BBC’s site.
- BBC News: Customers 'blamed for card fraud'
- Folks accused of having left their PIN somewhere near or _on_ a lost or stolen wallet/purse after fraudulent activity on their account(s).
But, the World News Network site also had a link to a video demonstrating a Chip & PIN vulnerability. Be prepared to be shocked.
The above video is well worth watching from start to finish.
Fellow MVP Harry Johnston (Bing search) pointed to the following site in response to a question about Chip & PIN.
- Light Blue Touchpaper
- Security Research, Computer Laboratory, University of Cambridge
These are the folks responsible for the above video.
- Light Blue Touchpaper: Chip and PIN is broken
- The above video is at the bottom of this post.
- There are _a lot_ of comments on this post and some are well worth the read.
- Light Blue Touchpaper: Blog Category: Banking Security
- There are a lot of eye opening posts to be had.
The blog post about the vulnerability published by the Cambridge group is here:
- Computer Laboratory Security Group: EMV PIN verification “wedge” vulnerability
Note the link to a working draft of a research paper on this particular vulnerability is also to be found there.
The Need For Caution
The need to protect our personal identity and financial situation ultimately resides with us. Knowing what is out there in the way of threats to our financial or personal situation is a part of protecting them. Granted, we may never know all of the ways, but we can do our best to mitigate the risk.
So, logging in daily to keep an eye on our online banking reports, online credit card accounts, and other such services is important. We need to know if there are any fraudulent transactions as soon as possible so that we can address them with the bank or card issuer.
- MPECS Inc: It Pays To Pay Attention To All Accounts Online
- While not a fraudulent transaction, the bank mysteriously “misplaced” several thousand dollars in one of our accounts!
Also, paying attention to the folks running the payment terminals where we make our purchases and not allowing anyone to take the card out of our sight are two ways that can also help to mitigate the risk.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book