Wednesday, February 07, 2007

Chip'n'PIN to the press

A little while ago, I posted a rather worrying article about a very serious potential loophole for fraud in the Chip'N'Pin system. I was then contacted by a journalist who wanted to write a piece on it; I duly put him in touch with my contact, and this article on the front page of Money Matters is the result.




So here is the article by Steve Spurdon (I have blanked out certain names).
Chip and PIN security compromised?

Question marks are being raised about the real level of security provided by chip and PIN technology.

Last year’s introduction of chip and PIN (personal identification number) technology to UK banking and credit cards promised gains in the war against card fraud. According to Sandra Quinn, director of corporate communications at the Association of Payment Clearing Services (APACS) retail card fraud has declined by 43% in 2006.

But, she admits, “It is fair to say that chip and PIN is not the silver bullet for all card fraud and fraud always rises in any areas where there is an opportunity. The current loophole remains that not all European countries have upgraded to chip and PIN yet.”

However, press stories have appeared claiming that the UK banking industry has introduced chip and PIN on the cheap as well as tales of how devices can be used to ‘read’ card details as well as the PIN. But why should fraudsters go to all that bother when, as the following story shows, the security provided is not all that it is said to be.

Last year on 4 November Bill Jxxxxxx, from south of Glasgow, went to fill his car with petrol at a local, independently run garage selling Shell petrol. He paid using his Bank of Scotland chip and PIN card – taking care with the number because he was new to this latest effort to combat card fraud.

However, an hour or so later, Bill received a call from the local police who asked him to return to the garage as there is a problem with his card. Alarmed and perplexed as to why the police called him rather than the retailer, Bill returned to the garage.

He asked what the problem is and the person on the till said he’d undercharged Bill because he had entered the wrong pump number. Bill said to cancel the transaction and he’d pay the right amount. But he was told the supervisor had already done that by cancelling the original payment, going into the till's digital data storage, retrieving Bill’s card and PIN number and putting through a new transaction.

The supervisor explained these details were held on the system for up to 40 minutes after each transaction, and added that he had done this sort of additional transaction procedure many times.

Bill and his wife Maria were so worried they decided to pursue the matter. According to Bill: “We contacted Which? legal services but they said it was a police matter. The police were not interested because as far as they were concerned there was no intent to defraud. At this point we contacted the bank to find out where we stood. Customer services were initially unsure of the position and at first told us it was not illegal, but later informed us that it was a fraudulent transaction and an abuse of the Banking Code of Conduct.”

On being contacted, a company spokesman for the Bank of Scotland said: “The petrol station processed a transaction without the card present for £33, this was without authority and without a PIN or signature. When the customer wrote to us we refunded the £33 to his account on 11 December and backdated it to the date the money left his account (6 November). We in turn charged this back to the petrol station as they acted outside their authority.”

Commenting on the case, APACS’ Sandra Quinn said APACS stated that no retailer or merchant in a face-to-face environment can access a customers’ PIN: “All card acquirers have strict contractual rules with their merchants/retailers which forbid them to put through a subsequent (as in a card-not-present) transaction after the customer has paid for their item. The card system should not be used to rectify mistakes in charging customers - these should be done with the customer's consent.”

“Most merchants/retailers do not have access to the full PAN (primary account number) details so are therefore technically (as well as contractually) inhibited from running any subsequent transactions. In this case, the merchant obviously did have access to the PAN and used it (but outside of his contractual rules). His card acquirer will be happy to pick this up direct with the merchant if this detailed information is passed on.”

So, on one hand the banks are saying that transactions can not be completed without the presence of the customer, but on the other hand they are saying that performing a ‘customer not present’ transaction is against the Banking Code. If it can’t be done, why forbid it?

It would be interesting to see whether this now goes any further; I think it unlikely that your humble Devil will be crowing over any scalps but at least I have helped to highlight a potential problem...

3 comments:

Nick said...

I sometimes put card numbers through when people order books from us at work. There is no actual details you need at all, other than the card number if you say the customer is not present - although it likes you to put in address numerics and a security code for extra checks, it is entirely voluntary. So what this story shows is that the card number if it was used under a "customer present" transaction can then be used subsequently for any number of "customer not-present" transactions.

Worrying. But I think it just goes to show that you shouldn't hand your card over to anyone you wouldn't be happy telling your card details to.

John Band said...

It's not at all worrying.

Unlike chip-and-PIN, which is assumed to be secure and which is guaranteed by the card issuers, cardholder-not-present transactions are entirely at the merchant's risk.

If you ring the bank to report a dodgy chip-and-PIN transaction, then you'll have an uphill struggle. But if you ring the bank to report a dodgy CNP transaction, they will immediately reverse it and bill the merchant back.

John B

Anonymous said...

That's all very well for the tech-savvy, but how on earth will Joe Bloggs know the difference between the two in order to report it?