Tuesday, May 09, 2006

Fraudster Gangs Deal a Blow to Chip and PIN

Picture of ATM skimming device using a hidden camera.

While North America was under attack in the Debit Card breach a few months ago, Britain rolled out Chip and PIN technology. At the time, the experts promised "Chip and PIN" cards would stop fraud dead in it's tracks.

Criminals are already beating this technology with skimming devices, which are mounted on ATM machines. AND it gets even scarier, the latest devices don't need cameras to record a PIN and can be built from parts ordered over the Internet.

Wikipedia already has an extensive section on Chip and PIN. I was amazed to discover that they were very up to date regarding potential security issues.

Chip and PIN is the name given to the initiative in the UK but countries worldwide are launching their own initiatives based on the EMV standard, which is a group effort between Europay, MasterCard and VISA. By the end of 2004, 100 countries will be using compatible systems based on this standard, and France aims to migrate its existing systems to be compatible with the new cards.

Sean Poulter of the Daily Mail reports on the recent Chip and PIN fraud:

Cloned cards belonging to Britons have been used to withdraw more than £1million in cash from machines in the UK, Paris, Sri Lanka, India and Hong Kong.

One card holder is believed to have lost as much as £25,000.

The police and banks have suggested that the problems at Shell petrol stations, which have centered on Surrey, emerged over the last eight weeks.

However, one Daily Mail reader from that area said his card details were cloned - he believes at a Shell outlet - in July last year.

Other readers believe their card details, including PINs, were stolen at garages operated by other companies, including BP and Esso. Cards have also been cloned at cash machines on at least one Total forecourt and at Tesco stores.

Full story, here.

Reading this, I had to reflect on the recent Debit Card breaches in North America. Early in the story, skimming devices were brought up a potential source. As the compromise spread across the continent, we heard rumors (still never confirmed) that retail systems were hacked. In the end, a few people were arrested and the story faded away.

Quite simply, it seems that the financial industry isn't commenting.

Whether the intention of not commenting is to protect the public, or the financial industry; it is clear that something needs to be done about this in the near term. Hopefully, the lack of information being released on these cases is because a strong investigative effort is underway.

It will be interesting to see what information is released on this latest case and how many more victims this latest caper will claim.

Here is a previous post, I did on the Debit Card breach:

Debit Card Breaches, A Growing Problem


T.L. Stanley said...

Good post. Take care.

NoticeBored said...

Ted, please be careful of jumping to conclusions. I understand the UK chip and PIN incident evidently involved traditional magstripe skimmers. The chip and PIN security remains intact, as far as I know. However, as long as there are still merchant and bank devices using magstripes for authentication, old-fashioned magstripe skimmers will continue working.