22 July 2018


Retired Member

3,619Posts 14,195,318Views 4,516Comments
Trends in Financial Services

Trends in Financial Services

A community to discuss the future of financial services and any other interesting trends, strategies, ideas, views.

Card Users at Risk of Physical Attack

09 May 2008  |  3004 views  |  0

Despite many sophisticated measures in place to protect cardholder data during and after a credit or debit transaction, the most likely source of PIN compromise is the simplest.  Referred to as “shoulder surfing” it is the oldest and easiest way for a criminal to obtain your PIN.  Unfortunately, the current payment card security standards have all but abandoned any attempt to protect against this threat.

At its simplest level, shoulder surfing is a surveillance based operation that attempts to observe the entry of a four digit PIN into an ATM or payment terminal keypad.  This method of stealing the PIN presents a real and significant danger to the cardholder.  The perpetrators usually operate in small gangs.  If the ‘surfer’ is able to see (or record on hidden camera) the entry of the PIN, he or she immediately communicates to other members of the gang that the PIN has been obtained.  This sets into motion a ruthless and sometimes violent series of events.  Having identified the target, gang members follow the victim with an intent to rob.  Their objective is to gain physical possession of the card for which they already know the PIN.  In this scenario, failure to screen the PIN from the ‘surfers’ view effectively puts the cardholder at significant risk of robbery and physical attack. 

Simple and effective means of PIN protection exist, but are not currently required by the Payment Card Industry (PCI) Security Standards Council.  Early drafts of PCI mandates for PIN Entry Devices (PED’s) required the installation of a mechanical shield that would prevent this most common cause of PIN compromise.  Surprisingly, complaints from retailers, equipment operators and equipment manufacturers resulted in a watering down of that requirement.  Compliance can now be achieved with only a loosely defined, token effort at protection against ‘shoulder surfing.’  This has resulted in privacy shields that are an ineffective semblance of the originally specified shield.   

It was shocking to see PED manufacturers arguing that the shield originally specified by PCI could not be physically achieved; particularly since Storm Interface and other manufacturers had already developed effective shields.  Even more shocking was how successful industry objections proved in getting these ‘common sense’ provisions watered down or even abandoned.  As the mandating authorities continue to impose ever more sophisticated, technology based security provisions, we should continue to press for re-instatement of the most effective and lowest cost security measure… privacy shields.


Comments: (1)

A Finextra member
A Finextra member 10 May, 2008, 02:34

This illustrates one of the problems we sought to correct with mobile phone transactions. It is far easier to see a key pad, let's face it - how many times could you have observed a fellow shoppers PIN? It may be much more difficult to see what is done on a persons own phone keypad.

The other issue is one of personal safety. We built duress signalling into our mobile transaction system so that even if you were held up at an ATM and forced to withdraw cash, you would be able to do so and signal to authorities that you were being robbed - without the attacker being able to tell what you had done. 

It always helps to put a little forethought into things. 

Be the first to give this comment the thumbs up 0 thumb ups!
Comment on this story (membership required)

Retired's profile

job title
member since 2014
Summary profile See full profile »

Retired's expertise

Member since 2009
3596 posts4,516 comments
What Retired reads

Who's commenting on Retired's posts

Pooja Golakonda
Behzod Sabirov
Ketharaman Swaminathan
Melvin Haskins
James Treacher
Kenneth Marritt
Mark Santall
Alexander De Lange
Graham Seel
Kishore Meda
Willem Lambrechts