Royal Dutch Shell Plc  .com Rotating Header Image

Times Online: New fraud risk for chip and PIN revealed

Times Online image

(David Cheskin)
A relatively simple procedure can program a chip and PIN terminal to steal PIN numbers

Jonathan Richards
‘Chip and PIN’ cards which require customers to enter a four-digit code before purchasing goods may not be as safe as previously thought, according to research.

February 27, 2008

Customers may unwittingly be handing over their card details and pin number when using the new terminals, which have been widely rolled out at supermarkets, service stations and other outlets, a group of computer security academics has claimed.

According to the research, with a relatively simple 10 minute procedure a merchant can program a chip and PIN terminal to capture all the information needed to clone a chip and PIN card, as well as the customer’s PIN number.

The fraudster would then be free to make withdrawals from the customer’s bank account, as well as commit identity fraud, the group said. The researchers, from the Computer Laboratory at the University of Cambridge, said they had no evidence to suggest the problem was widespread, though they were aware of several instances of it happening, including one at a Shell garage in 2006.

They said the vulnerability was caused by manufacturers’ failure to build appropriate encryption technology into the devices, known as PIN-entry devices (PEDs), which meant that information passed between the card and the device unprotected.

APACS, the UK payments association which oversaw the introduction of chip and PIN technology in 2006, acknowledged that the new type of fraud was possible, but said it was not as easy to commit as other types of card fraud, which remained a priority for prevention.

“We’re not denying that this type of fraud is achievable, but there are much easier ways of carrying out the same type of fraud, including skimming cards and capturing the PIN using a pin-hole camera, and that’s what we’re focused on,” an APACS spokeswoman said.

Chip and PIN was introduced as a way of reducing the ease with which criminals could commit card fraud by introducing more robust security in the card itself.

In particular, it was touted as a way to avoid one of the most common types of card fraud, known as ‘skimming’, where unscrupulous merchants copy the information contained in the magnetic strip in order to clone the card.

In January, Visa announced that all new cards that were issued would include new chip technology to counter the fraud. But according to the Cambridge group, some UK banks are still producing cards without a chip-based security technology known as as ICVV, which is supposed to alert a merchant or bank if a cloned version of the card is being used.

“Our investigation has exposed a system-level problem, and customers should be putting pressure on banks to reissue cards with ICVV,” Saar Drimer, one of the Cambridge researchers, said. “The banks would then be in a position to spot any fraudulent transaction made by a cloned card.”

Mr Drimer added that part of the problem was that there was no independent evaluation of the security technology used. A spokesman for GCHQ, the body which tests the security of devices for both the Government and industry, confirmed that it had not certified the card system.

APACS said that it had tested the devices according to an internationally recognised set of standards known as the Common Criteria – standards which other types of ‘secure devices’ were also required to meet.

A spokesman for Ingenico, the manufacturer of the PED which was manipulated by researchers in the Cambridge tests, said: “The method identified by the Cambridge University paper requires specialist knowledge and has inherent technical difficulties. It is not reproducible on a large scale.”

A spokesman for the British Bankers Association was not immediately available for comment.

According to APACS, losses resulting from plastic card fraud rose by 26 per cent in the first six months of last year to £263.6 million.

Related articles…

BBC News: Petrol firm suspends chip-and-pin » Royal Dutch Shell …BP is also looking into card fraud at petrol stations in Worcestershire but it is not known if this is connected to chip-and-pin. … Shell’s £1m chip and PIN fraud ‘an inside job’

The Guardian: Shell keeps PIN ban after £1m fraud and its sister websites,,,,, and are all owned by John Donovan. There is also a Wikipedia article.

0 Comments on “Times Online: New fraud risk for chip and PIN revealed”

Leave a Comment

%d bloggers like this: