Blog article
See all stories ยป

An article relating to this blog post on Finextra:

Fraudsters rigging Chip and PIN terminals to steal data - report

Hundreds of Chip and PIN terminals in shops and supermarkets across Europe have been rigged by criminals and used to steal shoppers' card details, according to US national counter-intelligence executi...


See article

It's not the terminals fault ... honest!

Another chip and weakness exposed ... it's the bank! 

It might well be that POS terminals, and specifically the PIN entry devices (PEDs), are the technocrims PIN harvester of choice, but I doubt that would that be the case if the harvested card and PIN data were useless.

The crims use the PEDs to record the PIN and to extract the PAN from the chip card.  These two pieces of data are useful because the PAN can be written to a magnetic stripe card, and the PIN can then be used for authentication in a magstrip-only ATM.  However, the PIN is useful only if it can be matched to an equally useful PAN, so if the PAN was useless, so would be the PIN harvesting equipment. 

So why is it so easy for the crims?  It's because the PAN can be copied from the chip to the stripe, and the issuer can't tell (or rather most issuers can't tell).  And it's all because the card issuers (most of them) never bothered to differentiate between PANs on magstripes and PANs on chips.  It was always a part of EMV, but the issuers (most of them) never bothered; so much did they not bother that Visa and MasterCard were forced to mandate this as a compulsory requirement from the begining of this year!!!     

The POS terminals are an easy target NOT because thay are a good place to steal a PIN (we can all do that looking over our fellow customer's shoulder), but because they are a good place to steal a PAN.  It used to be the case that it was hard to steal a PIN, but relatively easy to obtain a PAN - from a discarded receipt , for example.  Now it's the other way round.  If the issuers had bothered to implement iCVV on their first chip cards, there would be no chip-to-magstripe card cloning industry, because the data the crims could extract using the terminals would have been USELESS in a magstripe-only ATM.  The fact is that at the moment it isn't useless at all, but it's not a weakness of the chip, and it's not a weakness of the PIN, it's a weakness of the issuer. 

The ability to clone cards is not an inevitable consequence of chip and PIN technology; it is a fact that the technology explicitly confounds it.  However, the ability to clone cards is 100% the consequence of the issuers development path; and it is also a fact that it will take several years to resolve. 

No worries ... the bank government will always give you your money back.

2905

Comments: (0)