I see that Cambridge University have hit the news again with claims of flaws in Chip and PIN reader technology.
All commercial systems have security weaknesses. They are a compromise between cost and potential losses. We don’t always get it right. Sometimes we spend too much, sometimes too little. What counts is whether the weaknesses actually lead to losses, and there’s no evidence that any attacks of this nature are being mounted or contemplated.
But regardless of that, it’s irresponsible to publicise weaknesses that cannot be readily addressed in systems affecting millions of customers.
Comments (4)
Totally agree. The media are willing enough to hype things up (earthquake in London, anyone?!) and over stress for affect (and effect!) and then we have more confused and worried users which is not helping in the space. Good pick up / comment, thanks David!
Posted by Andrea Simmons | February 28, 2008 2:46 PM
Posted on February 28, 2008 14:46
I am sure the fact that Chip & PIN was just a means of shifting finacial responsibility for any losses from the banks to the merchants and was seriously flawed from the outset (I said so at the time is was being considered) is already well known by those involved in this type of mal-practice. The public has a right to know if they are being conned into thinking otherwise.
Posted by Stephen Meredith | February 28, 2008 2:58 PM
Posted on February 28, 2008 14:58
Chip and Pin is great for the High Street retail business, but the banks were not ready in time for this to impact and push the fraudsters online, where they still have their way most of the time, with pc's being largely unprotected against trojan etc.
Posted by Shirley Goodman | February 29, 2008 3:10 PM
Posted on February 29, 2008 15:10
You wrote: "But regardless of that, it’s irresponsible to publicise weaknesses that cannot be readily addressed in systems affecting millions of customers."
Nonsense. Every indovidual has at least two ways of mitigating the risk presented by C&P cards:
1. Stop using bank cards altogether. It may be radical, but it's certainly possible.
2. More practically, stop using Chip-and-PIN cards, and switch to Chip-and-Signature. All the banks can issue C&S cards, although they like to pretnd that they're only for the disabled. I have three credit cards, none of which is a C&P card. Two are issued in the USA, but usable here without problems. One is a Chip-and-Signature card issued by a high-street building society.
Quoting Sandra Quinn (APACS):
"If you’re an overseas customer into the UK, you know big shops in Oxford Street aren’t going to be turning away American customers over the next few weeks; they’re still going to be allowed to sign. And the other option of course is the Chip and Signature card, which a lot of disabled customers hold, and that means again you’ll be able to sign. The technology ensures that will happen."
See:
http://news.bbc.co.uk/1/shared/spl/hi/programmes/money_box/transcripts/04_02_06.txt
I strongly suggest that any reader with a C&P credit card 'phones their bank today and demands a C&S card.
Posted by Andrew Watson | February 29, 2008 4:55 PM
Posted on February 29, 2008 16:55