The £1.1bn introduction of chip and Pin cards was sold
to the public and the retail industry, which bore the cost of its
roll-out, with the promise that it would cut the climbing card
fraud bill.
The only problem is it also left the back door open to old-style
fraud, and at the same time increased exposure of the Pin, security
experts believe.
Despite the introduction of a more secure chip system, credit
and debit cards issued in the UK still have a magnetic strip
containing account information. Magnetic strips have long been
known to help criminals who wish to defraud card holders. The data
on the strip is not encrypted and can be easily copied,
contributing to a card fraud bill of £504.8m in the UK in 2003.
Many chip and Pin installations at retailers are “hybrid
terminals” which not only read data from the chip, but also read
the magnetic strip. This potentially allows fraudsters to not only
capture the strip information, but copy the Pin at the same
time.
Last month Shell found evidence of this weakness in the chip and
Pin system to its cost. Using hybrid terminals that had been
tampered with, the criminals were able to copy magnetic information
and capture the Pin. They then defrauded Shell service station
customers of about £1m.
Most UK cash machines do not use magnetic strip information, but
since copied magnetic strip and Pin information can be sent around
the world, experts believe these criminals were able to clone cards
and withdraw cash from US ATMs, which do not use the chip and Pin
system.
Eight people have been arrested in connection with the inquiry
into fraud at the Shell outlets. Shell responded to the discovery
of the fraud by suspending chip and Pin payments as a
precaution.
The banking association, Apacs, which is behind the introduction
of chip and Pin, has attempted to deflect criticism of the chip and
Pin system by arguing that the problem was unique to Shell and the
type of payment pads it used.
But the vulnerability is likely to be much more widespread than
a weakness with a particular manufacturer, model or retailer, said
Ross Anderson, professor of security engineering at Cambridge
University. “There are a lot of bad implementations and there is a
lot wrong with the design,” he said.
Manufacturers may claim Pin pads are tamper resistant, but they
could not withstand an attack by an agent in a well equipped
laboratory, he said. “You will not find any readers in the UK that
are protected to that level.”
Shell uses Trintech hybrid readers, although similar devices are
made by Ingenico and Diane and sold to retailers, including at
least three major UK retailers.
Hybrid systems are necessary for foreign visitors to pay in the
UK, and UK cards are still issued with magnetic strips to allow UK
traveller to pay abroad.
Until there is a global standard in chip and Pin, the system
will be vulnerable to cross-border fraud, according to David Wray,
principal consultant with independent security firm Sec-Tec.
“The fundamental concept that is flawed with chip and Pin is
that it is not global. At the moment it is inconceivable that the
US would join the system,” said Wray.
The introduction of chip and Pin has increased the risk of fraud
in other ways. Since its introduction, there had been a significant
increase in the exposure of customer Pins, because they are now
used for payment in hundreds of thousands of retailers and
restaurants, as well as for withdrawing cash at ATMs.
A spokeswoman for Apacs said it would not review the use of
hybrid card readers or the inclusion of magnetic strips on UK chip
and Pin cards. “That is going to have to be the case in a world
that uses different types of technology. It is impractical for
people to have separate cards or to be issued new cards when
travelling abroad.”
She said fraud committed abroad on cards issued in the UK had
dropped 11% in the past year. “At the moment we cannot comment on
the specific Pin pad [used in the Shell case]. We did not say it
was impossible for other pads to be compromised in this way. This
was the only type of Pin pad that was successfully compromised.
Others were stolen, but not successfully compromised. We do not
know if the device in question went through the standards
process.”
A spokeswoman for Shell said, “We will reintroduce chip and Pin
as soon as it is possible, following consultation with the terminal
manufacturer, card companies and the relevant authorities, to
ensure that customers can be confident that their transactions are
fully secure.”
Apacs is keen to emphasise that card fraud has dropped since the
introduction of chip and Pin. Overall card fraud fell by 13% to
£439.4m in 2005, and fraud committed using cloned or skimmed cards
fell by 25% to £96.8m. However, card-not-present fraud, involving
telephone and internet commerce climbed by 21% to £183.2m.
But a paper, co-authored by Anderson, argues that a fall in
fraud could be a temporary phenomenon. Fraud in France fell after
the introduction of chip and Pin in the early 1990s, but began to
climb again because of cross-border fraud using magnetic strip
data. In a comment prescient of the fraud suffered at Shell
outlets, the paper predicted the UK would follow a similar
pattern.
If it does, UK retailers are bound to begin asking why they have
invested hundreds of millions of pounds in integrating chip and Pin
to their point-of-sale systems.