How safe is chip and Pin technology?

The £1m fraud at Shell petrol stations last month raised issues about the security of chip and Pin technology, and exposed inherent weaknesses in the system.

The £1.1bn introduction of chip and Pin cards was sold to the public and the retail industry, which bore the cost of its roll-out, with the promise that it would cut the climbing card fraud bill.

The only problem is it also left the back door open to old-style fraud, and at the same time increased exposure of the Pin, security experts believe.

Despite the introduction of a more secure chip system, credit and debit cards issued in the UK still have a magnetic strip containing account information. Magnetic strips have long been known to help criminals who wish to defraud card holders. The data on the strip is not encrypted and can be easily copied, contributing to a card fraud bill of £504.8m in the UK in 2003.

Many chip and Pin installations at retailers are “hybrid terminals” which not only read data from the chip, but also read the magnetic strip. This potentially allows fraudsters to not only capture the strip information, but copy the Pin at the same time.

Last month Shell found evidence of this weakness in the chip and Pin system to its cost. Using hybrid terminals that had been tampered with, the criminals were able to copy magnetic information and capture the Pin. They then defrauded Shell service station customers of about £1m.

Most UK cash machines do not use magnetic strip information, but since copied magnetic strip and Pin information can be sent around the world, experts believe these criminals were able to clone cards and withdraw cash from US ATMs, which do not use the chip and Pin system.

Eight people have been arrested in connection with the inquiry into fraud at the Shell outlets. Shell responded to the discovery of the fraud by suspending chip and Pin payments as a precaution.

The banking association, Apacs, which is behind the introduction of chip and Pin, has attempted to deflect criticism of the chip and Pin system by arguing that the problem was unique to Shell and the type of payment pads it used.

But the vulnerability is likely to be much more widespread than a weakness with a particular manufacturer, model or retailer, said Ross Anderson, professor of security engineering at Cambridge University. “There are a lot of bad implementations and there is a lot wrong with the design,” he said.

Manufacturers may claim Pin pads are tamper resistant, but they could not withstand an attack by an agent in a well equipped laboratory, he said. “You will not find any readers in the UK that are protected to that level.”

Shell uses Trintech hybrid readers, although similar devices are made by Ingenico and Diane and sold to retailers, including at least three major UK retailers.

Hybrid systems are necessary for foreign visitors to pay in the UK, and UK cards are still issued with magnetic strips to allow UK traveller to pay abroad.

Until there is a global standard in chip and Pin, the system will be vulnerable to cross-border fraud, according to David Wray, principal consultant with independent security firm Sec-Tec.

“The fundamental concept that is flawed with chip and Pin is that it is not global. At the moment it is inconceivable that the US would join the system,” said Wray.

The introduction of chip and Pin has increased the risk of fraud in other ways. Since its introduction, there had been a significant increase in the exposure of customer Pins, because they are now used for payment in hundreds of thousands of retailers and restaurants, as well as for withdrawing cash at ATMs.

A spokeswoman for Apacs said it would not review the use of hybrid card readers or the inclusion of magnetic strips on UK chip and Pin cards. “That is going to have to be the case in a world that uses different types of technology. It is impractical for people to have separate cards or to be issued new cards when travelling abroad.”

She said fraud committed abroad on cards issued in the UK had dropped 11% in the past year. “At the moment we cannot comment on the specific Pin pad [used in the Shell case]. We did not say it was impossible for other pads to be compromised in this way. This was the only type of Pin pad that was successfully compromised. Others were stolen, but not successfully compromised. We do not know if the device in question went through the standards process.”

A spokeswoman for Shell said, “We will reintroduce chip and Pin as soon as it is possible, following consultation with the terminal manufacturer, card companies and the relevant authorities, to ensure that customers can be confident that their transactions are fully secure.”

Apacs is keen to emphasise that card fraud has dropped since the introduction of chip and Pin. Overall card fraud fell by 13% to £439.4m in 2005, and fraud committed using cloned or skimmed cards fell by 25% to £96.8m. However, card-not-present fraud, involving telephone and internet commerce climbed by 21% to £183.2m.

But a paper, co-authored by Anderson, argues that a fall in fraud could be a temporary phenomenon. Fraud in France fell after the introduction of chip and Pin in the early 1990s, but began to climb again because of cross-border fraud using magnetic strip data. In a comment prescient of the fraud suffered at Shell outlets, the paper predicted the UK would follow a similar pattern.

If it does, UK retailers are bound to begin asking why they have invested hundreds of millions of pounds in integrating chip and Pin to their point-of-sale systems.


Read more on IT risk management