A Finextra member 16 October, 2008, 16:38 0 likes

Stephen Wilson said : "And why wouldn't these organised attackers -- so organised they can interfere with the design and manufacture of terminal devices in the factory -- target magnetic stripe devices, as still used in the US?  That would lead to wholesale cloning of cards on a gigantic scale not possible with Chip and PIN."

Simple answer to this is that - with the exception of ATMs, there isn't a proliferation of standalone chip and pin terminals in the U.S.  U.S. Banks usually issue cards that are still signature-based and signed card payments are still pretty much the norm. 

It's actually less beneficial for fraudsters to clone and use signature based cards since :

1. they can't use them for ATM withdrawals  

2. authentic looking laminated cards with corresponding fake ids need to be produced for fraudulent card present transactions. Less face it, it's riskier for fraudsters to do fraudulent signed card-present transactions.

A Finextra member 06 November, 2008, 16:58 0 likes

Extracting chip data using a "tweaked" terminal will generally not reveal enough information to allow a crim to attack the related account.  I say generally, because no one can say for definite what the card issuing inteligensia might or might not have done.  I would say that it is an attack on the Chip and PIN systems, but only on those parts of the systems that have been left wide open by the card issuers - let's not forget that the scam doesn't work for every card!!!

The information that can be extracted from the chip can be used to create a mag stripe clone, or to create a passable (can't say any more than that) chip clone.  The technology does, however, also contain the means of preventing these glaring displays of issuer ineptitude.  You may think this is a little strong in the finger pointing department, but not so if you bear in mind that from the moment the issuers adimit that the horse has bolted, it will take them FOUR YEARS to close the stable door.  

There isn't much point in applying the same principlet to the US mag stripe systems, as the transactions aren't generally PIN based, and the mag stripe data can usually be sniffed as it hops up and down the line.  Also, US card security is based on all transactions being approved online.  If a card is cloned, the AI authorising systems should be capable of spotting it - a transaction performed in Arizona at noon followed by another on the same card in Boston at 12.05 probably indicates some kind of fraud. 

Chip and PIN is sound.  If this were not the case, then Professor Ross Anderson and has Cambridge-based tetris-playing accademic hacking sidekicks would be grinning at us from the front pages of the Daily Mail.  If it were an attack on Chip and PIN, they would be there helping.  It isn't an attack on Chip and PIN, it's the card issuing community equivalent of leaving the unencrypted details of armed forces personnel on the bus.  There are weaknesses because there are people in the process.