24 November 2014

Who's in your wallet?

Jarvis Kandik - Storm Interface

2 | posts 5,552 | views 0 | comments

Trends in Financial Services

A community to discuss the future of financial services and any other interesting trends, strategies, ideas, views.

Card Users at Risk of Physical Attack

09 May 2008  |  2603 views  |  1

Despite many sophisticated measures in place to protect cardholder data during and after a credit or debit transaction, the most likely source of PIN compromise is the simplest.  Referred to as “shoulder surfing” it is the oldest and easiest way for a criminal to obtain your PIN.  Unfortunately, the current payment card security standards have all but abandoned any attempt to protect against this threat.

At its simplest level, shoulder surfing is a surveillance based operation that attempts to observe the entry of a four digit PIN into an ATM or payment terminal keypad.  This method of stealing the PIN presents a real and significant danger to the cardholder.  The perpetrators usually operate in small gangs.  If the ‘surfer’ is able to see (or record on hidden camera) the entry of the PIN, he or she immediately communicates to other members of the gang that the PIN has been obtained.  This sets into motion a ruthless and sometimes violent series of events.  Having identified the target, gang members follow the victim with an intent to rob.  Their objective is to gain physical possession of the card for which they already know the PIN.  In this scenario, failure to screen the PIN from the ‘surfers’ view effectively puts the cardholder at significant risk of robbery and physical attack. 

Simple and effective means of PIN protection exist, but are not currently required by the Payment Card Industry (PCI) Security Standards Council.  Early drafts of PCI mandates for PIN Entry Devices (PED’s) required the installation of a mechanical shield that would prevent this most common cause of PIN compromise.  Surprisingly, complaints from retailers, equipment operators and equipment manufacturers resulted in a watering down of that requirement.  Compliance can now be achieved with only a loosely defined, token effort at protection against ‘shoulder surfing.’  This has resulted in privacy shields that are an ineffective semblance of the originally specified shield.   

It was shocking to see PED manufacturers arguing that the shield originally specified by PCI could not be physically achieved; particularly since Storm Interface and other manufacturers had already developed effective shields.  Even more shocking was how successful industry objections proved in getting these ‘common sense’ provisions watered down or even abandoned.  As the mandating authorities continue to impose ever more sophisticated, technology based security provisions, we should continue to press for re-instatement of the most effective and lowest cost security measure… privacy shields.

TagsCardsPayments

Comments: (1)

Dean Procter - Transinteract - Sydney | 10 May, 2008, 02:34

This illustrates one of the problems we sought to correct with mobile phone transactions. It is far easier to see a key pad, let's face it - how many times could you have observed a fellow shoppers PIN? It may be much more difficult to see what is done on a persons own phone keypad.

The other issue is one of personal safety. We built duress signalling into our mobile transaction system so that even if you were held up at an ATM and forced to withdraw cash, you would be able to do so and signal to authorities that you were being robbed - without the attacker being able to tell what you had done. 

It always helps to put a little forethought into things. 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Jarvis

Card Users at Risk of Physical Attack

09 May 2008  |  2603 views  |  1  |  Recommends 0 TagsCardsPaymentsGroupTrends in Financial Services

Who's in your Wallet?

18 March 2008  |  2950 views  |  4  |  Recommends 4 TagsPaymentsRetail bankingGroupTrends in Financial Services
name

Jarvis Kandik

job title

Management

company name

Storm Interface

member since

2008

location

Chicago

Summary profile See full profile »
My role in the marketing department at Storm Interface requires that I keep abreast of card trans...

Jarvis's expertise

What Jarvis reads
Storm Interface
Jarvis writes about
CardsPaymentsRetail banking
Jarvis's blog archive
2008 (2)

Who is commenting on Jarvis's posts