Chip & Pin not so secure...

kaiowas said:
I've been wary of something like this happening since I first went to a restaurant that used wireless chip & pin devices.

At the end of the day you're keying your pin number into a random box of electronics that has already read your card and could be doing anything with that information.
Click to expand...

In the same way the millions of people do every day at ATM's you mean?
 
Visage said:
In the same way the millions of people do every day at ATM's you mean?
Click to expand...

No an ATM is generally a fixed part of a building and it would require considerable effort to install a fake one without being detected.

A small handheld box that looks like a standard chip and pin reader but stores the card details along with the pin could easily be smuggled into use by any low life capable of getting a temporary job as a waiter or as an overnight petrol station attendant.
 
kaiowas said:
No an ATM is generally a fixed part of a building and it would require considerable effort to install a fake one without being detected.

A small handheld box that looks like a standard chip and pin reader but stores the card details along with the pin could easily be smuggled into use by any low life capable of getting a temporary job as a waiter or as an overnight petrol station attendant.
Click to expand...

Actually, more and more ATMS are now the free standing type you see in corener shops, for example.

No-one is saying the C&P is the end to all card related fraud. What they are saying (and I'd like to see anyone seriously argue this) is that they are more secure than signature based cards. More security is a Good Thing, last time I checked.
 
Von Luck said:
To be fair, the scam didn't compromise the chip technology, it relied upon reading the PIN, cloning the magnetic stripe and then using the cloned cards in ATMs which still read the stripe rather than the chip.

So it's effectively the same old cloning scam, nothing new. The major failure is the fact that not all ATMs or retail outlets have switched to chip-only technology, forcing the legacy magnetic stripe to still be used.
Click to expand...

its not possible to go chip and pin only when so many foreign cards aren't chip and pin. I didnt think compramising the readers was possible, not the ones we have at work anyway. That's nothing other than an iside job, that.

Visage said:
As opposed to signature based cards, with your signature carefully hidden away on the back of the card? ;)
Click to expand...

how many retailers will ACTUALLY check the signature? you can use that as an excuse. IT's also still a requirement to have that signature on the card, btw.
 
Last edited:
Visage said:
Actually, more and more ATMS are now the free standing type you see in corener shops, for example.

No-one is saying the C&P is the end to all card related fraud. What they are saying (and I'd like to see anyone seriously argue this) is that they are more secure than signature based cards. More security is a Good Thing, last time I checked.
Click to expand...

I personally avoid using the free standing types as much as possible (usually because they charge) and if I do have to use one it will only be one that's in the kind of location where it couldn't be easily swapped out with a dodgy unit without someone noticing.

I would agree with you that C&P is better that a signature for deterring casual fraud, for example if you were to lose your card then anyone finding it wouldn't be able to walk into a shop, fake the signature on the back and walk out with an armful of stuff.

However I think C&P is a help to those wishing to commit large scale organised fraud. By removing the human element of having to sign something it makes it a lot easier to commit repeatable fraud on a large scale with a low risk of detection until you are long gone.
 
Organised Crime will always find away to commit large scale fraud.

Chip and Pin was only there to prevent small scale, opportunistic fraud.

Example:

There was a story a couple of years back (possibly on crime watch) where two guys had set up a shop front for a solicitors of similar and stuck a cash machine in there. This was a scrap machine that they had bought and modded it. When people tried to use it, it skimmed their card details, captured their pin number when entered and then displayed an error message and returned the persons card.

A month later they shut up shop and left with thousands of cards and pin numbers.

Cash machines have an element of fraud reduction as you can only usually withdraw a maximum of £300.

Chip and Pin and Signatures have unlimited (subject to balance on accounts) spending power. Most shops now have started on insisting that chip enabled cards (the majority of uk banks) must use the chip and they will not accept the swipe. This is due to the changes in liability.

At the moment we are going through a transition phase as all old non chip cards are replaced (due to be completed some time in the next year or two). Once this takes place I would be very surprised if any uk bank based cards are accepted without the PIN. Its simply not in the shops interest to accept signatures.

Chip and Pin has dramatically reduced card fraud:
APACS said:
Chip and PIN reduces counterfeit and lost and stolen fraud by £58.4m - down 24%
Click to expand...
 
Sadly I think chip & pin is very insecure.

To the degree of someone looking over your shoulder and then if they aquire your card they have access to all of your money from your bank (okay £300 limit a day or whatever) and access to buy things from shops as they now have your PIN number.

With a signature I feel it isn't the best way but having a signature and then two digits from your card I feel is much better than one or the other.

It's only a matter of time before people start getting ****** over and then there will be something else out - and shops will have to upgrade again.

All IMHO.


Macca
 
stoofa said:
<snip>
Click to expand...

THank you stoofa, you saved me having to forumulate an argument with your excellent and concise post...

Chip and Pin aint that bad. If you want added protection get a credit card and comb your statement at the end of every month...



Chip and Pin is better simply becasue of how rarely a person is challenged while signing receipts, if the salesman even looks...
 
Last edited:
m4cc45 said:
Sadly I think chip & pin is very insecure.

To the degree of someone looking over your shoulder and then if they aquire your card they have access to all of your money from your bank (okay £300 limit a day or whatever) and access to buy things from shops as they now have your PIN number.
Click to expand...

they still need your card, or a clone of it.

With a signature I feel it isn't the best way but having a signature and then two digits from your card I feel is much better than one or the other.
Click to expand...

All they need for that is a clone of your card. they don't even need a pin and they dont need your signature either, they can put anything on the back. which is easier?

It's only a matter of time before people start getting ****** over and then there will be something else out - and shops will have to upgrade again.

All IMHO.


Macca
Click to expand...

That's progression for you.
 
Last edited:
SidewinderINC said:
but before chip and pin, did the cloners have your pin number so easily?

my guess would be a definate no, but now they can very easily record it when you tap it in if they have a modified box.
Click to expand...

In a word yes.

before these devices were on ATM's and they got your pin that way.
 
lemonkettaz said:
exactly.

fiddling with an ATM is a bit more tricky that those little handheld things in a shop....

sometimes there are loads of them in one shop
Click to expand...


Not Really???

just go in the early hours while no1 is around, attatch your device and done.

With one instore you have to either be very good at taking the salesmens attention, get a job tehre and do a swap, or god knows what else - plus all the cameras in stores could catch you. Sure theres CCTV around ATM's but just wear a hat and scarf - couldnt goto work like that
 
m4cc45 said:
Sadly I think chip & pin is very insecure.

To the degree of someone looking over your shoulder and then if they aquire your card they have access to all of your money from your bank (okay £300 limit a day or whatever) and access to buy things from shops as they now have your PIN number.

With a signature I feel it isn't the best way but having a signature and then two digits from your card I feel is much better than one or the other.

It's only a matter of time before people start getting ****** over and then there will be something else out - and shops will have to upgrade again.

All IMHO.


Macca
Click to expand...

As I say every time this thread comes around, you have two hands, use them. If someone is standing too close - ask them to stand back. You really have to be an idiot to let someone watch you type in your PIN.

As far as people who complain about it not being possible to turn off magnetic stripe readers, I was told 18 months ago in a store that if I didn't know my PIN, a fallback to signature would not be allowed by the terminal. I'm pretty sure the same thing is available to ATMs by now.
 
Telescopi said:
Why? What happens in a year or two?
Click to expand...

Pretty much as vonhelmet said. Basically what I meant by that comment is that technology is improving all the time as soon as someone makes a new system its only a matter of time before the process is fully reverse-engineered (such as emulators, etc.) it's only a matter of time before there are devices on the market (and I'm pretty sure there will be now) that read all of your card details (allowing duplication) and then 'remembering' your PIN number.

And yes you can shield your PIN but there have been lots of reports of people sticking camera phones, small transmitting camera, etc. around there so they can get the numbers. Okay they still have to get the card I know.

And the link for the story at the top is:

http://news.bbc.co.uk/1/hi/england/4980190.stm


Macca
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom