Blog article
See all stories ยป

An article relating to this blog post on Finextra:

Fraudsters rigging Chip and PIN terminals to steal data - report

Hundreds of Chip and PIN terminals in shops and supermarkets across Europe have been rigged by criminals and used to steal shoppers' card details, according to US national counter-intelligence executi...

See article

Credit Card Security

Conventional wisdom says that if merchants will just comply with PCI (payment card industry data security standard), then crooks will not steal card data from merchants. Under this wisdom, the US Federal Trade Commission has been punishing merchants like TJX. However, I don't see how PCI compliance would have stopped this POS terminal hack. The terminals showed no external evidence of tampering! Given how sophisticated the crooks are becoming, my suspicion is the credit card system must change entirely, so that it relies much less on protection of secrets like card number + PIN and more on multiple channels of communication with users (e.g., when I use card, I instantly get phone text message, to which I must reply). --Ben


Comments: (5)

John Dring
John Dring - Intel Network Services - Swindon 15 October, 2008, 14:55Be the first to give this comment the thumbs up 0 likes

It would be a start just to get a test message every time you make a payment.  I mean, how many times do we make a payment in a day.  Even micro-payments are not so frequent (per user) and in a world where we send something like 60 SMS texts per user per day, a few more wont hurt.  Its even reassuring that the system is workign to have your Credit Card issuing bank send you confirmation of the amount you just spent, because as NFC payments and Tap-and-go comes it, you really have no idea what you just paid...and who waits til their statement to find out what that was.  And who can remember if that payment is 20% higher than you remember it.

The problem is that this is value to you the consumer, but not to the Bank.  They figure that it costs them more to implement the system of text sending to everyine than it does to manage the risk of a few who get conned.

Now if the Bank was instructed to implement such systems, and they could be optional for the user (you could set the level of payment that triggered a notification for example).   And because you DONT need to wait and then respond while at the POS, there is no delay at all.

Remember - Chip-and-Pin was not for consumer security, it was added to cover the backs of the banks.  You lose your 4digit PIN, you lose any claim on the transaction.

Now that the Banks have royally messed up, and shown themselves to be incompetent charlatans (well OK, they do provide a service or two) we should all be taking up the case of the customer to balance our rights.


A Finextra member
A Finextra member 16 October, 2008, 14:25Be the first to give this comment the thumbs up 0 likes

your idea and the inevitable trend of enabling cardholders to control the usage of their cards by setting their own user limits that will automatically enable issuing banks to reject or approve card authorization requests and also trigger notifications (to cardholders) is a validation of the system and methods I designed and created in 2000, piloted/trialed in 2002 and which has been granted a patent 6931382 by the USPTO in August of 2005. VISA applied an application with similar claims but theirs was over a year later than mine.

TJX, I believe was not advised, counseled and defended properly.

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 17 October, 2008, 22:05Be the first to give this comment the thumbs up 0 likes

I firmly agree that PCI compliance in and of itself does little to mitigate replay attacks using account data stolen through tampered terminals or invading backend databases as in the TJX case.

But I don't see signs that the payments system is broken to the extent that it needs the sort of patching or reengineering as some suggest.  The four cornered payment model is fundamentally sound; the root cause of much fraud, especially CNP fraud, is that merchants are vulnerable to stolen ID data. If it was harder to steal and replay personal data, then we could live with the model for years to come. Remember that the total cost of modifying the underlying model is due to much more than just new technology; the biggest cost cmponent comes from new legal arrangements.  Every time we add a new player, like an SMS service or an authentication gateway let alone a radical new mobile method, we inject new business risks, extra accountabilities, new complexities and overheads.

There are relatively simple ways that we can thwart the replay of stolen ID data against merchant servers, preserving the four cornered payment system model as is, cutting CNP fraud, simplifying backend information systems, and enhancing individual privacy all at the same time.


Stephen Wilson, Lockstep.

Nick Green
Nick Green - ISD Consultants - Northampton 19 October, 2008, 12:24Be the first to give this comment the thumbs up 0 likes

Stephen, It's good to see someone talking sense for once. So often when these items of news appear the systems is always "doomed to failure because it is fatally broken" and technology solutions are punted forward as the answer to everything fraud related. As you correctly state the current model still works and combating fraud has always been an ongoing battle and what is needed is a layered approach there is no silver bullet. The reason for Chip and PIN card was to combat Lost, Stolen and Intecept fraud - and it has. The industry knew the fraud would move elsewhere, it always has, and also recognises errors of judgment were made in some elements of implementation but these are being closed down. It is difficult to reap all the benefits of locking the front door when the backdoor of the US magstripe environment is still wide open. We have to tackle these frauds as they arrive and burdening the consumer with additional technology, like SMS per transaction, isn't the way.

A Finextra member
A Finextra member 20 October, 2008, 11:29Be the first to give this comment the thumbs up 0 likes

I, like many consumers prefer to control my own card account specially if its a prepaid or debit card account.

I also don't want to get notified each and every time I use my card.

What I do want is to set my own user limits and only get notified if a card transaction does not meet those limits.

And yes, it would be great if my card issuer rejects this transaction if it does not meet my user limits. 

I do agree that not one solution will eliminate card fraud but to stubbornly insist that chip and pin will solve the entire problem only points out another hidden agenda which does not entail relieving consumers and merchants of the remaining card fraud. I am only too pleased that a security executive of VISA Inc. stated this : "Rather than replacing all the 12 million card readers in the United States with ones that could handle the Chip and PIN standard, Triplett said the money would be better spent on other fraud-fighting technologies. "