Tuesday, 26 February, 2008
- 26 Feb 08, 06:20 PM
Chip and Pin
Whatever you buy in the shops, you probably pay with a chip and pin card, tonight Newsnight has exclusive evidence that they are vulnerable to fraudsters. The implications could be huge for millions of shoppers. We'll be asking what are the banks going to do about it?
Let us know if you think you have been a victim of chip and pin fraud.
Terror Trial
The missed opportunities in picking up the July 21 bombers can be disclosed today following the conviction of one of the most senior terrorist recruiters in Britain - a man who called himself "Osama bin London". Peter Marshall has the full story.
Jersey Claims
After the horrific findings in a Jersey children鈥檚 home last week, more accusations have been made on the island today of a "cover-up" in relation to separate child abuse allegations at a school in the 1990s. Are the authorities responsible for a conspiracy of silence over many years or are the claims without foundation? We have a report tonight from Jersey.
Nader Interview
From the US we have an interview with the independent Presidential candidate Ralph Nader - why does he keep running for President and is he proud of his role in helping George W Bush to win the election of 2000?
Comments Post your comment
Dear Newsnight
Re Nader
Perhaps you need to speak to someone in tactical voting here which seeks to stop votes being split, also involved in the anti-war movement and ask for their views on this and if you can get this person to speak directly to Mr Nader he might ask him to change his mind about standing?
best wishes
Bob
Complain about this post
Chip & Pin - I have been subject to a fraud on my card this year. Earlier this month my card company called to ask if I'd used my card for a couple of transactions. The total amounted to some 拢2,400. The transaction were chip & pin protected, I assume, and items were all purchased over the web.
BUT - I haven't used the card. It was a backup card in case of problems with my main card. I never ever got round to memorising the PIN. Which means that someone inside the organisation of the bank itself, presumably, must have sold the data on. Which was worrying enough to me that I burned the card that same day. Now, I hope, I'll be secure from any demands from the bank asking me to reimburse them - but I don't know. And I'm damn sure I can't afford to take them to court if they demand money from me.
Chip and PIN is ideal to allow business to sell to us over the internet. Yup, it's great for that. But where are the ruddy safeguards?
All best
Mike Jecks
Complain about this post
chip and pin is not as safe as a signature, we are being conned cos it makes commerce and banking easier for business not joe bloggs. we cannot trust them at all, given data leaks with ppls data on which anyone can access if they find it and have criminal intent.its harder to forge a signature.
Complain about this post
chip and pin is not as safe as a signature, we are being conned cos it makes commerce and banking easier for business not joe bloggs. we cannot trust them at all, given data leaks with ppls data on which anyone can access if they find it and have criminal intent.its harder to forge a signature.
Complain about this post
chip and pin is not as safe as a signature, we are being conned cos it makes commerce and banking easier for business not joe bloggs. we cannot trust them at all, given data leaks with ppls data on which anyone can access if they find it and have criminal intent.its harder to forge a signature.
Complain about this post
chip and pin is not as safe as a signature, we are being conned cos it makes commerce and banking easier for business not joe bloggs. we cannot trust them at all, given data leaks with ppls data on which anyone can access if they find it and have criminal intent.its harder to forge a signature.
Complain about this post
chip and pin is not as safe as a signature, we are being conned cos it makes commerce and banking easier for business not joe bloggs. we cannot trust them at all, given data leaks with ppls data on which anyone can access if they find it and have criminal intent.its harder to forge a signature.
Complain about this post
chip and pin is not as safe as a signature, which is more difficult to forge, this is not done for customer convienance, but more for commerce and banking convienance.they cannot be trusted to lose data or leave it out back for the bin man or the criminal fraternity to go through.
Complain about this post
The Communications person from APACS stated that the burden of proof is with the bank not customer - I wish Jeremy had asked if the simple response from banks to gain "proof" is "but the PIN was used and only you (Mr customer) have that so you must have been negligent" hmm
Complain about this post
My partner has been a victim of card fraud three times now. Over 拢3000 has been taken and every time it happens he has to take time to mess around at the bank to sort it out. Even when evidence of the fraudsters is quite obvious, ie they use a particual cash machine nothing is done.
What is this costing us in bank charges etc ?
The woman from ARCAS was ridiculous, Paxman should of had her for breakfast.
Complain about this post
i was sent a new cc which i never received suddenly on my account there were withdrawals about $3k per month for 3 months all at the same shop in london a petrol stn no transactions over $47??? the police were clueless ..
Complain about this post
Chips & Pin - I suffered from having my card cloned. I had not used my card for quite some time and used it in a BP Garage. A few days later, I got a call querying a number of transactions and it became apparent the card had been cloned. I advised the card issuer that it could only have been done at the BP garage - they weren't particularly interested. I also tried to report this to the local police who also said it was nothing to do with them and a matter for the card company. Since then I've had my card cloned again. When I had swipe and signatue cards I never had a problem.
Complain about this post
My Debit Card was cloned and attempted use was detected in India three weeks ago by Barclays Security. appear not to have lost any money thanks to Barclays Security however I had only used the debit card in about six places.
It is patently obvious that interception of card details is rife amongst retailers. I suspect a filling station and/or a restaurant in Bournemouthbut for the banks to state on your programme that there is cno evidence of chip and pin being compromised is rubbish.
In over thirty years of credit/debit card use, it is only now that I have been the victim of fraud. I would suggest that if anything, chip and pin has made me more vulnerable than before.
Would be happy to provide more inf to 大象传媒 if you're interested.
Complain about this post
Chip & Pin: My wife's Barclaycard was recently used for several transactions in Sri Lanka. We have not used it much and always for Chip & Pin transactions. It is thought that the card was copied using a modified terminal. The banks elected to go for the cheaper unencrypted option. It seems that decision has now put credit and debit card security at risk.
Complain about this post
Dear Newsnight
We have been a victim of Chip & PIN fraud this month. My wife and I are the holders of VISA cards with the same number but different PIN numbers. Money was withdrawn in the Philippines on one of our cards, yet we have never been to that country. The bank was good enough to refund the money immediately and issue new cards. However, after your programme We are going to wreite and seek the new type of card with enhanced security. If they refuse and we are subjected to fraud again, they will have themselves to blame.
Many thanks for a very informative progamme.
Dr Shetewi
Complain about this post
Chip & Pin: My wife's Barclaycard was recently used for several transactions in Sri Lanka. We have not used it much and always for Chip & Pin transactions. It is thought that the card was copied using a modified terminal. The banks elected to go for the cheaper unencrypted option. It seems that decision has now put credit and debit card security at risk.
Complain about this post
Re: Chip and pin
Chip and pin (and credit card fraud in general) will never be secure while all the details required of the card holder are identical for each transaction, making a record of one legitimate transaction a template for another, illegitimate one.
If, for instance, the user was asked for only certain digits of a longer pin number, it would be almost impossible to use details from a single transaction to commit fraud.
Similarly, if credit card issuers provided customers with the option of SMS validation of transactions over an agreed threshold, fraud would require a customer's mobile phone as well as their card, again making it significantly safer to use a credit card.
Complain about this post
Chips & Pin - I suffered from having my card cloned. I had not used my card for quite some time and used it in a BP Garage. A few days later, I got a call querying a number of transactions and it became apparent the card had been cloned. I advised the card issuer that it could only have been done at the BP garage - they weren't particularly interested. I also tried to report this to the local police who also said it was nothing to do with them and a matter for the card company. Since then I've had my card cloned again. When I had swipe and signatue cards I never had a problem.
Complain about this post
I was a victim of Chip & Pin Fraud last year on my debit card and 拢500 stolen from my bank account - my card was cloned and used in cash points in Italy. I was reimbursed because I clearly was int he UK when the money was stolen - infact I was taking money out literally at the same minute it was being stolen.
It is a sickening feeling to find someone is having a good time on your money - but what is even more frustrating is that since the majority of shops now refuse to accept cheques we are FORCED to use chip & pin and yet it is clearly insecure. Carrying sufficient cash around is clearly not a practical alternative option.
Also frustrating is that nobody investigates when you report a chip & pin fraud.It is just accepted that it happens. When I told people about my bad luck I was horrified to hear how many people it had already happened to. I like writing cheques but it is not an option anymore - I resent being forced to use cards all the time. Things will probably just get worse. The authorities and banks have no idea how traumatic it is to find yourself in this situation.
Complain about this post
Internet txns are not CHIP & PIN and it does not mean that details were passed on by a bank employee just because a card has not been used. Fraudsters have many means available to them.
Complain about this post
chip and pin is not as safe as a signature, which is more difficult to forge, this is not done for customer convienance, but more for commerce and banking convienance.they cannot be trusted to lose data or leave it out back for the bin man or the criminal fraternity to go through.
Complain about this post
Chip & Pin;
I had my card cloned at some point as my account was debited last month through a cash point in the Philippines! I was lucky as it was only 92.00 from two transactions.
My bank (Barclays) were very good at identifying this quickly, and once I sent the fraud claim form all monies were re-imbursed, and a new card was re-issued within 4 days! Well done Barclays!
The only issue is the overdraft charge of 拢30.00 is taking longer to get back!
I am at a loss as to how or when the card was cloned. But it certainly makes me think at each machine waiting for my secret number like a silent vampire!
Complain about this post
I have been the subject of credit card fraud at a petrol station. When paying for petrol the chip and pin machine rejected two cards which had never given problems before or since. The cashier then offered to enter the details manually looking on the rear of the card to check my signature and no doubt note the 3 digit security code. At the time I was concerned but had no other means of payment. By strange coincidence a rogue payment of 拢50 appeared on my account 1 week later. The card has now been re-issued. I reported all the details but why do I doubt the c/c company will persue it. Leaving others to fall prey to the same scam.
David Adams
Complain about this post
As it was myself who made all correspondence with Egg in this alleged fraud case I will put the case straight for them, As they have made another false statement 鈥 well they have been shamed into answering their correspondence this time鈥 The vital information they required was a general questionnaire that repeats the questions asked when the credit account was reported out of order. 鈥淰ITAL鈥 Egg were advised the form would not be returned due to the case been investigated. During this enquiry there were six letters sent to Egg by recorded delivery asking questions like why are you investigating the wrong card.
1. What was the number assigned to the Egg card that expired in January 2007?
1. A new card was issued in December what was the number assigned to that card?
2. What date was the above replacement card sent out to me?
3. What was the expiry date for the above replacement card?
4. What date was the above card activated and by what means?
1. Another card was sent to me in March 2007. What was the card number?
2. What was the expiry date for the above replacement card?
3. What date was this Egg card activated and by what means?
Unfortunately they did not have the decency to answer or acknowledge any of these letters or questions.
The best they could do was write to the police and retract there security experts witness statement. Oh he was wrong they were investigating the wrong card. With a great help from Ross and his team the case was thrown out of court due to no evidence to offer.
Egg state
at no point did we hold our customer liable
Well they still have about 拢800.00 pounds of Jane鈥檚 money and to date have made no attempt to return it. With them removing the money by direct debit after they were advised of the unauthorised action on the account, they must be holding their customer liable. Are they about to issue another retraction statement???
Dave Badger
Complain about this post
The old Mag Stripe cards were even more susceptible to cloning, and to insinuate that chip&PIN isn't an improvement is to miss the point.
Chip&PIN (the symmetric cryptography) itself isn't the problem. The problem is now and always has been putting your card into a compromised reader.
Rather than publicise the exploit and arguably make the problem worse, it would be more responsible of the 大象传媒 to encourage the public to inspect the readers and look for evidence of tampering; inroduce tamper-evident seals on the readers; and always challenge vendors who try to read your card twice.
Its also noteworthy that GCHQ don't have anything to do with chip&PIN and using their logo to lend sensationalist credence to the story is disingenous at the least.
Complain about this post
Chip & Pin
The key issue here is when retailers swipe the magnetic stripe on your card and then expect you to enter a PIN.
Many major retailers insist on doing this. I have had stand up arguments with managers in stores (e.g B&Q, Tesco) when I insist that I will NOT let them swipe my card if they want the pin. 99.999% of sheep like consumers just assume that the retailer has the right to do this.
They want to swipe your card for customer data tracking reasons - to track you as a consumer and trace your buying habits. They are happy to increase your risk of falling victim to fraud in order to do this.
The reason why this is important is that it trivially easy to copy the magstripe. With an email to an accomplice in any country where ATMs don't use chip (thats a lot) your card can be instantly cloned and money extracted from your account.
So will Newsnight now ask a few major retailers into the studio and ask them why they have operational practices that expose their customers unnecessarily to fraud?
I plan to erase the magstripe on one of my cards and use it for a while. To see what hapens :-) Should be a laugh.
Complain about this post
I am a very recent victim of card fraud when I discovered on 14th February 08 that 拢1582.95 had been taken my Barclays Debit account by some fraudster in Malaysia.
I am an OAP living on a pension credit. I have been informed that it will take anything up to 3 weeks for Barclays to investigate this.
The only assistance Barclays have really offered me is to have given me an overdraft facility of 拢1700 - but am not sure if it is interest free.
Because I am an OAP I never go into overdraft and try to keep my expenses to a minimum because of my financial situation.
I feel totally vulnerable and violated.
Kind regards,
Gillian.
Complain about this post
We have recently had over 拢8000 taken from our account. The thieves seem to have attempted to take over 拢14000. The bank even let them exceed the overdraft limit.
It seems that this has happened to many people in our town. A particular petrol station is always cited as the problem. The transfers are always to companies in Sri Lanka. Both the police and the banks know about it.
And yet it continues.
What would happen if faith in the banking system were to suddenly collapse?
Complain about this post
Re: Chip and pin
Chip and pin (and credit card fraud in general) will never be secure while all the details required of the card holder are identical for each transaction, making a record of one legitimate transaction a template for another, illegitimate one.
If, for instance, the user was asked for only certain digits of a longer pin number, it would be almost impossible to use details from a single transaction to commit fraud.
Similarly, if credit card issuers provided customers with the option of SMS validation of transactions over an agreed threshold, fraud would require a customer's mobile phone as well as their card, again making it significantly safer to use a credit card.
Complain about this post
re Chip and Pin report tonight
It's far worse than you think. Some PED devices send data via radio signals similar to cordless phones. These signals can be picked up 300 metres away. Put a radio van tuned to the correct frequency in the car park of a posh restaurant, hotel, petrol station and even some supermarkets and you will absolutely amazed at what chip and pin info you can get. Try it out there may be a follow up story.
Complain about this post
I am a very recent victim of card fraud when I discovered on 14th February 08 that 拢1582.95 had been taken my Barclays Debit account by some fraudster in Malaysia.
I am an OAP living on a pension credit. I have been informed that it will take anything up to 3 weeks for Barclays to investigate this.
The only assistance Barclays have really offered me is to have given me an overdraft facility of 拢1700 - but am not sure if it is interest free.
Because I am an OAP I never go into overdraft and try to keep my expenses to a minimum because of my financial situation.
I feel totally vulnerable and violated.
Kind regards,
Gillian.
Complain about this post
This evening I watched your programme about the faults and vunerability of chip and pin. I have expressed my concerns to my bank ever since but they are just ignoring me. Who is the customer here? If I say I DO NOT WANT CHIP & PIN they should take heed. I am sick of being dictated to by the finance industry saying how best to manage my money. Also these PDQ machines work on standard fax/telephone line which in itself is not secure.
Complain about this post
I am a very recent victim of card fraud when I discovered on 14th February 08 that 拢1582.95 had been taken my Barclays Debit account by some fraudster in Malaysia.
I am an OAP living on a pension credit. I have been informed that it will take anything up to 3 weeks for Barclays to investigate this.
The only assistance Barclays have really offered me is to have given me an overdraft facility of 拢1700 - but am not sure if it is interest free.
Because I am an OAP I never go into overdraft and try to keep my expenses to a minimum because of my financial situation.
I feel totally vulnerable and violated.
Kind regards,
Gillian.
Complain about this post
Re: Chip and pin
Chip and pin (and credit card fraud in general) will never be secure while all the details required of the card holder are identical for each transaction, making a record of one legitimate transaction a template for another, illegitimate one.
If, for instance, the user was asked for only certain digits of a longer pin number, it would be almost impossible to use details from a single transaction to commit fraud.
Similarly, if credit card issuers provided customers with the option of SMS validation of transactions over an agreed threshold, fraud would require a customer's mobile phone as well as their card, again making it significantly safer to use a credit card.
Complain about this post
Chip and pin. It was an interesting program but i saw early last year on TV someone read chip and pin from a laptop in a rucksack only yards from the PED.
I am an Electronics Test Design Engineer in my experience ive found the more electronic a system becomes the easier it becomes to defraud.
Like the German Enigma machine Hitler believed it was undesipherable. More electronics, more biometric the belief it is safer in reality it becomes easier.
I worked for a while in the Access Control industry security is at the end of the day no better than a Standard key-lock and key. The perception of RF id and swipe cards even finger print readers are all only secure until you know how to bypass.
In conclusion electronics is a false sense of security and as easily bypassed.
The proposed Biometric passports are easier to forge as the government believe they are not forgable, so when they are forged no one will suspect.
Brian Forster
Complain about this post
My daughter is resident in Central America. She discovered that several thousand pounds had been taken from her bank account, probably through the local ATM, as she doesn't use her card to make purchases. Her bank has said that it is her fault and they will not re-imburse her, so she is having to try to fight this. They sent her a new card, but she can only activate it in the UK, so the level of help available to her seems to be non-existent.
Complain about this post
I was the subject of chip and pin fraud between christmas and New Year. It was a card I only use for business and only for petrol. I discovered it about 4 days afterwards that there were small amounts gone out of my account that amounted to around 拢260. Because I dont use it much I knew exactly when it had been, I had got some petrol from around the corner on New Years Eve, nothing unusual in the transaction at all which was quite scary.I phoned the bank and it took a while to get throught to the fraud dept by which time I had worked out that it had been cloned and used in Ghana to get money out, around 30 pounds each time, the transactions had currency conversions and the place name Accra which I googled and found was in Ghana. I called the local police who admitted that 2 petrol stations in the area were affected. I signed a statement to the bank who re imbursed me although I queried it with them that so many transactions, even small had gone through and they had not become suspicious. It seemed obvious that there had been unusual activity in my profile. They said it had "slipped through their net".
Complain about this post
This evening I watched your programme about the faults and vunerability of chip and pin. I have expressed my concerns to my bank ever since but they are just ignoring me. Who is the customer here? If I say I DO NOT WANT CHIP & PIN they should take heed. I am sick of being dictated to by the finance industry saying how best to manage my money. Also these PDQ machines work on standard fax/telephone line which in itself is not secure.
Complain about this post
Dear Newsnight
RE: Chip & Pin
Your program was very interesting, but the banks/credit card companies are still not taking full responsibilites for any type of fraud being commited or trying to investigate any such fraud.
I have had fraud against my credit card and in one transaction the fraudsters withdrew 拢7000, and the credit card company did not ever confirm/verify with myself this transaction. Another transaction was carried out at a London Borough Council to pay bills - but the credit card company have refused to look into this saying that since CHIP & PIN was used it is not their debt or responsibility. Even though the credit card company has catagorically written to me saying that they are aware of the 拢7000 transaction and the company where it was carried out being fraudulant- they will not be investigating further. Not only that - they have advised me that a female rang up pretending to be the named card holder changing the full account details twice within three days of each other - including change of address and request for new cards and statements to these addresses. Their response to this change was simply that she answered all the security questions correctly - even though the account was under a male name rather than a female. I have approached many legal institutions, including the Financial Ombudsman and the Citizen Advice Bureau - but have not had much joy.
This fraud has caused my credit rating to plumit - which has resulted in my other credit cards cutting my credit limit drastically, and has also affected me getting a loan for home improvement.
If you have any further advice, it would be most appreciated.
All the Best
Khalid
Complain about this post
Re: Chip and pin
Chip and pin (and credit card fraud in general) will never be secure while all the details required of the card holder are identical for each transaction, making a record of one legitimate transaction a template for another, illegitimate one.
If, for instance, the user was asked for only certain digits of a longer pin number, it would be almost impossible to use details from a single transaction to commit fraud.
Similarly, if credit card issuers provided customers with the option of SMS validation of transactions over an agreed threshold, fraud would require a customer's mobile phone as well as their card, again making it significantly safer to use a credit card.
Complain about this post
Chip & Pin;
I had my card cloned at some point as my account was debited last month through a cash point in the Philippines! I was lucky as it was only 92.00 from two transactions.
My bank (Barclays) were very good at identifying this quickly, and once I sent the fraud claim form all monies were re-imbursed, and a new card was re-issued within 4 days! Well done Barclays!
The only issue is the overdraft charge of 拢30.00 is taking longer to get back!
I am at a loss as to how or when the card was cloned. But it certainly makes me think at each machine waiting for my secret number like a silent vampire!
Complain about this post
An additional weakness is that the PIN is held on a database by the credit card
company and only protected by trust in ALL the employees of the company.
In addition one credit card company has sent me my PIN by post without my requesting it, "in case I had forgotten it".
Complain about this post
We have recently had over 拢8000 taken from our account. The thieves seem to have attempted to take over 拢14000. The bank even let them exceed the overdraft limit.
It seems that this has happened to many people in our town. A particular petrol station is always cited as the problem. The transfers are always to companies in Sri Lanka. Both the police and the banks know about it.
And yet it continues.
What would happen if faith in the banking system were to suddenly collapse?
Complain about this post
Chip and pin. It was an interesting program but i saw early last year on TV someone read chip and pin from a laptop in a rucksack only yards from the PED.
I am an Electronics Test Design Engineer in my experience ive found the more electronic a system becomes the easier it becomes to defraud.
Like the German Enigma machine Hitler believed it was undecipherable. More electronics, more biometric the belief it is safer in reality it becomes easier.
I worked for a while in the Access Control industry security is at the end of the day no better than a Standard key-lock and key. The perception of RF id and swipe cards even finger print readers are all only secure until you know how to bypass.
In conclusion electronics is a false sense of security and as easily bypassed.
The proposed Biometric passports are easier to forge as the government believe they are not forgable, so when they are forged no one will suspect.
Brian Forster
Complain about this post
Chip & Pin - I work within the IT Security sector and it was a surprise to me that the card chips do not store our data, especially the PIN, in an encrypted format. This is one of the most basic requirements for data protection, and there are enough solutions and mechanisms available to enable this to happen. Ironically the payment card industry is forcing all retailers to ensure that transaction data is encrypted on all systems between the terminal and the credit card companies, so why is this data not protected at its weakest point?
From the moment the industry moved away from signatures to PIN's it was obvious that the onus of proof was going to secretly switch to the customer from the banks. Given that these computer systems are very technical compared with a simple signature, its very unlikely that a customer is easily going to be able to prove that they did not give their PIN away rather than have it stolen from them. Compared with signatures, four digit PIN's are now more easily intercepted, remembered and re-produced.
Now that cheques are not accepted in most stores, our only option is to either use a Chip & PIN card, or cash. At least when your wallet is stolen with cash in, you know the limit of your loss.
The sceptic in me wonders if Chip & PIN wasn't simply a way for the banks to facilitate more Internet transactions, with no real regard for the customer's security.
Complain about this post
My wifes switch card has just (last week) been used in USA ,拢800.00 in 72 hours from what is called a cloned card.We spotted this and then alerted bank and asked them to block our cards it also appears to be her old card ie it was renewed last month, now we destroyed the cards by cutting up. we have been refunded by bank but it is very worrying, also it seems that there is no chip and pin in America, the bank have not been very forthcomming about what happened or why a Uk card can be used without challenge in Walmart stores in America for a purchase of approx 拢662.00
Complain about this post
I was the subject of chip and pin fraud between christmas and New Year. It was a card I only use for business and only for petrol. I discovered it about 4 days afterwards that there were small amounts gone out of my account that amounted to around 拢260. Because I dont use it much I knew exactly when it had been, I had got some petrol from around the corner on New Years Eve, nothing unusual in the transaction at all which was quite scary.I phoned the bank and it took a while to get throught to the fraud dept by which time I had worked out that it had been cloned and used in Ghana to get money out, around 30 pounds each time, the transactions had currency conversions and the place name Accra which I googled and found was in Ghana. I called the local police who admitted that 2 petrol stations in the area were affected. I signed a statement to the bank who re imbursed me although I queried it with them that so many transactions, even small had gone through and they had not become suspicious. It seemed obvious that there had been unusual activity in my profile. They said it had "slipped through their net".
Complain about this post
card fraud is so easy to do my 8 year old colud do it . I am a retailer with a small business and i have to foot the bill for fraudulant transactions you ask the customer all the requied questions and the parcils are delliverd to the same address as the card holder. I have proof of dillivery and then you get a charge back from the bank . you go to the bank to ask for help they say its a police matter then you go to the police and they say its a bank matter
iver way you cannot win. Its a waste of time
Complain about this post
Chip & Pin
The key issue here is when retailers swipe the magnetic stripe on your card and then expect you to enter a PIN.
Many major retailers insist on doing this. I have had stand up arguments with managers in stores (e.g B&Q, Tesco) when I insist that I will NOT let them swipe my card if they want the pin. 99.999% of sheep like consumers just assume that the retailer has the right to do this.
They want to swipe your card for customer data tracking reasons - to track you as a consumer and trace your buying habits. They are happy to increase your risk of falling victim to fraud in order to do this.
The reason why this is important is that it trivially easy to copy the magstripe. With an email to an accomplice in any country where ATMs don't use chip (thats a lot) your card can be instantly cloned and money extracted from your account.
So will Newsnight now ask a few major retailers into the studio and ask them why they have operational practices that expose their customers unnecessarily to fraud?
I plan to erase the magstripe on one of my cards and use it for a while. To see what happens :-) Should be a laugh.
Complain about this post
I was the subject of chip and pin fraud between christmas and New Year. It was a card I only use for business and only for petrol. I discovered it about 4 days afterwards that there were small amounts gone out of my account that amounted to around 拢260. Because I dont use it much I knew exactly when it had been, I had got some petrol from around the corner on New Years Eve, nothing unusual in the transaction at all which was quite scary.I phoned the bank and it took a while to get throught to the fraud dept by which time I had worked out that it had been cloned and used in Ghana to get money out, around 30 pounds each time, the transactions had currency conversions and the place name Accra which I googled and found was in Ghana. I called the local police who admitted that 2 petrol stations in the area were affected. I signed a statement to the bank who re imbursed me although I queried it with them that so many transactions, even small had gone through and they had not become suspicious. It seemed obvious that there had been unusual activity in my profile. They said it had "slipped through their net".
Complain about this post
The old Mag Stripe cards were even more susceptible to cloning, and to insinuate that chip&PIN isn't an improvement is to miss the point.
Chip&PIN (the symmetric cryptography) itself isn't the problem. The problem is now and always has been putting your card into a compromised reader.
Rather than publicise the exploit and arguably make the problem worse, it would be more responsible of the 大象传媒 to encourage the public to inspect the readers and look for evidence of tampering; inroduce tamper-evident seals on the readers; and always challenge vendors who try to read your card twice.
Its also noteworthy that GCHQ don't have anything to do with chip&PIN and using their logo to lend sensationalist credence to the story is disingenous at the least.
Complain about this post
card fraud is so easy to do my 8 year old colud do it . I am a retailer with a small business and i have to foot the bill for fraudulant transactions you ask the customer all the requied questions and the parcils are delliverd to the same address as the card holder. I have proof of dillivery and then you get a charge back from the bank . you go to the bank to ask for help they say its a police matter then you go to the police and they say its a bank matter
iver way you cannot win. Its a waste of time
Complain about this post
Chip and pin. It was an interesting program but i saw early last year on TV someone read chip and pin from a laptop in a rucksack only yards from the PED.
I am an Electronics Test Design Engineer in my experience ive found the more electronic a system becomes the easier it becomes to defraud.
Like the German Enigma machine Hitler believed it was undecipherable. More electronics, more biometric the belief it is safer in reality it becomes easier.
I worked for a while in the Access Control industry security is at the end of the day no better than a Standard key-lock and key. The perception of RF id and swipe cards even finger print readers are all only secure until you know how to bypass.
In conclusion electronics is a false sense of security and as easily bypassed.
The proposed Biometric passports are easier to forge as the government believe they are not forgable, so when they are forged no one will suspect.
Brian Forster
Complain about this post
My wifes switch card has just (last week) been used in USA ,拢800.00 in 72 hours from what is called a cloned card.We spotted this and then alerted bank and asked them to block our cards it also appears to be her old card ie it was renewed last month, now we destroyed the cards by cutting up. we have been refunded by bank but it is very worrying, also it seems that there is no chip and pin in America, the bank have not been very forthcomming about what happened or why a Uk card can be used without challenge in Walmart stores in America for a purchase of approx 拢662.00
Complain about this post
Chip and pin. It was an interesting program but i saw early last year on TV someone read chip and pin from a laptop in a rucksack only yards from the PED.
I am an Electronics Test Design Engineer in my experience ive found the more electronic a system becomes the easier it becomes to defraud.
Like the German Enigma machine Hitler believed it was undecipherable. More electronics, more biometric the belief it is safer in reality it becomes easier.
I worked for a while in the Access Control industry security is at the end of the day no better than a Standard key-lock and key. The perception of RF id and swipe cards even finger print readers are all only secure until you know how to bypass.
In conclusion electronics is a false sense of security and as easily bypassed.
The proposed Biometric passports are easier to forge as the government believe they are not forgable, so when they are forged no one will suspect.
Brian Forster
Complain about this post
chip & pin: Good report - finally someone is putting pressure on the banks, credit card companies and pin pad manufacturers.
All arguments that it is not feasible are wrong. With little electronics engineering background and bit more in computing domain
I can tell that the attack didn't look very sophisticated. Yes one have to have the specialist knowledge, but it's not neurosurgery, i.e. there are plenty people with sufficient level of expertise.
What's more: to make it viable, fraudsters have to hire one person that would do the initial research and implementation - the rest is mere replication. With stakes of 拢400m/year feasibility argument is just false. With such payouts I could imagine whole factories producing spoofed pin pads just to be swapped for real ones at retail points.
I just wish Prof Anderson suggested solution(s) to the problem. Application of cryptography and requirement (i.e. regulation) for the pin pads to identify themselves to banks in order to finalize the transaction and having all transactions on-line. Yes, unfortunately substantial amount of card transactions are still off-line, i.e. given retailer accumulates a batch of transactions and at the end of the day processes them. It can be seen on our bank statements, which very often show transactions with delay of couple of days. On-line, real-time card and card owner verifications are doable with present amount of technology modern societies have at their disposal. Also the whole area of trusted hardware and/or tamper-proof hardware, both of which have seen many research done by industry and academia comes into mind with regards to pin pads. As it seems from the report, pad manufacturers haven't been forced by some regulations to deliver fairly secure hardware.
Last comment: Cambridge researchers said that pin pad producers almost deliberately left wholes in the circuit board, which helped to get hooked up to the pin pad. I don't think that is the case. Connecting elements on the circuit board is not an easy problem. Very often given signal track has to be plotted through the board to the other side or even inside the board as those boards have often more than one layer. Such maneuver is implemented by having metalized whole going through the board and connecting layer that ought to have connection.
Complain about this post
I have recently been the subject of card fraud. I subscribe to on-line banking and check my accounts frequently. 2 weeks ago I discovered that one of my bank accounts was in the red by nearly 拢1000. I don't do red and never go overdrawn, and upon investigation I found that there were 15 transactions of various amounts all for the same retailer.
I expected a long drawn out fight to get my money back, but no, my bank has set up a complete call centre to handle fraud situations and I was surprised to be shepherded through a very simple procedure, and within 48 hours of signing a form declaring that the transactions were not mine, I had all of the money credited back to my account. I was also advised to check my statements very carefully and let them know of any charges as a result of this fraud, and these would also be reversed. The bank also cancelled my card and issued me with a new one straight away.
Well done to my bank (RBS), but it is a sad indictment of modern society that banks have to set up Call Centres specifically to handle Fraudulent transactions.
Malcolm A Otter
Complain about this post
Dear Newsnight
RE: Chip & Pin
Your program was very interesting, but the banks/credit card companies are still not taking full responsibilites for any type of fraud being commited or trying to investigate any such fraud.
I have had fraud against my credit card and in one transaction the fraudsters withdrew 拢7000, and the credit card company did not ever confirm/verify with myself this transaction. Another transaction was carried out at a London Borough Council to pay bills - but the credit card company have refused to look into this saying that since CHIP & PIN was used it is not their debt or responsibility. Even though the credit card company has catagorically written to me saying that they are aware of the 拢7000 transaction and the company where it was carried out being fraudulant- they will not be investigating further. Not only that - they have advised me that a female rang up pretending to be the named card holder changing the full account details twice within three days of each other - including change of address and request for new cards and statements to these addresses. Their response to this change was simply that she answered all the security questions correctly - even though the account was under a male name rather than a female. I have approached many legal institutions, including the Financial Ombudsman and the Citizen Advice Bureau - but have not had much joy.
This fraud has caused my credit rating to plumit - which has resulted in my other credit cards cutting my credit limit drastically, and has also affected me getting a loan for home improvement.
If you have any further advice, it would be most appreciated.
All the Best
Khalid
Complain about this post
Chip and pin. It was an interesting program but i saw early last year on TV someone read chip and pin from a laptop in a rucksack only yards from the PED.
I am an Electronics Test Design Engineer in my experience ive found the more electronic a system becomes the easier it becomes to defraud.
Like the German Enigma machine Hitler believed it was undecipherable. More electronics, more biometric the belief it is safer in reality it becomes easier.
I worked for a while in the Access Control industry security is at the end of the day no better than a Standard key-lock and key. The perception of RF id and swipe cards even finger print readers are all only secure until you know how to bypass.
In conclusion electronics is a false sense of security and as easily bypassed.
The proposed Biometric passports are easier to forge as the government believe they are not forgable, so when they are forged no one will suspect.
Brian Forster
Complain about this post
As it was myself who made all correspondence with Egg in this alleged fraud case I will put the case straight for them, As they have made another false statement 鈥 well they have been shamed into answering their correspondence this time鈥 The vital information they required was a general questionnaire that repeats the questions asked when the credit account was reported out of order. 鈥淰ITAL鈥 Egg were advised the form would not be returned due to the case been investigated. During this enquiry there were six letters sent to Egg by recorded delivery asking questions like why are you investigating the wrong card.
1. What was the number assigned to the Egg card that expired in January 2007?
1. A new card was issued in December what was the number assigned to that card?
2. What date was the above replacement card sent out to me?
3. What was the expiry date for the above replacement card?
4. What date was the above card activated and by what means?
1. Another card was sent to me in March 2007. What was the card number?
2. What was the expiry date for the above replacement card?
3. What date was this Egg card activated and by what means?
Unfortunately they did not have the decency to answer or acknowledge any of these letters or questions.
The best they could do was write to the police and retract there security experts witness statement. Oh he was wrong they were investigating the wrong card. With a great help from Ross and his team the case was thrown out of court due to no evidence to offer.
Egg state
at no point did we hold our customer liable
Well they still have about 拢800.00 pounds of Jane鈥檚 money and to date have made no attempt to return it. With them removing the money by direct debit after they were advised of the unauthorised action on the account, they must be holding their customer liable. Are they about to issue another retraction statement???
Dave Badger
Complain about this post
AS most credit card fraud is carried out abroad, why does not the card people put a stop on all transactions
overseas unless the holder advises them that they will be in a certain country on holiday, as i always do.
Complain about this post
As it was myself who made all correspondence with Egg in this alleged fraud case I will put the case straight for them, As they have made another false statement 鈥 well they have been shamed into answering their correspondence this time鈥 The vital information they required was a general questionnaire that repeats the questions asked when the credit account was reported out of order. 鈥淰ITAL鈥 Egg were advised the form would not be returned due to the case been investigated. During this enquiry there were six letters sent to Egg by recorded delivery asking questions like why are you investigating the wrong card.
1. What was the number assigned to the Egg card that expired in January 2007?
1. A new card was issued in December what was the number assigned to that card?
2. What date was the above replacement card sent out to me?
3. What was the expiry date for the above replacement card?
4. What date was the above card activated and by what means?
1. Another card was sent to me in March 2007. What was the card number?
2. What was the expiry date for the above replacement card?
3. What date was this Egg card activated and by what means?
Unfortunately they did not have the decency to answer or acknowledge any of these letters or questions.
The best they could do was write to the police and retract there security experts witness statement. Oh he was wrong they were investigating the wrong card. With a great help from Ross and his team the case was thrown out of court due to no evidence to offer.
Egg state
at no point did we hold our customer liable
Well they still have about 拢800.00 pounds of Jane鈥檚 money and to date have made no attempt to return it. With them removing the money by direct debit after they were advised of the unauthorised action on the account, they must be holding their customer liable. Are they about to issue another retraction statement???
Dave Badger
Complain about this post
I had my credit and bank cards stolen and fraudulently used in the early 1980鈥檚 so I sat down and invented a secure biometric system based on the detection and comparison of subcutaneous blood vessels to tie individuals to their cards and tokens in a very secure manner. This technology is now being applied worldwide by Hitachi and Fujitsu et-all to banking security鈥.only goes to show one can be too early with an invention!
You can read all about it here
wonder why it's not a British commercial success story....ahh but that's another story!
Complain about this post
chip & pin:
Very good report - finally someone is putting pressure on the banks, credit card companies and pin pad manufacturers.
All arguments that the attack is not feasible are wrong. With little electronics engineering background and bit more in computing domain
I can tell that the attack didn't look very sophisticated. Yes one have to have the specialist knowledge, but it's not neurosurgery, i.e. there are plenty people with sufficient level of expertise.
What's more: to make it viable, fraudsters have to hire one person that would do the initial research and implementation - the rest is mere replication. With stakes of 拢400m/year feasibility argument is just false. With such payouts I could imagine whole factories producing spoofed pin pads just to be swapped for real ones at retail points.
I just wish Prof Anderson suggested solution(s) to the problem. Application of cryptography and requirement (i.e. regulation) for the pin pads to identify themselves to banks in order to finalize the transaction and having all transactions on-line. Yes, unfortunately substantial amount of card transactions are still off-line, i.e. given retailer accumulates a batch of transactions and at the end of the day processes them. It can be seen on our bank statements, which very often show transactions with delay of couple of days. On-line, real-time card and card owner verifications are doable with present amount of technology modern societies have at their disposal. Also the whole area of trusted hardware and/or tamper-proof hardware, both of which have seen many research done by industry and academia comes into mind with regards to pin pads. As it seems from the report, pad manufacturers haven't been forced by some regulations to deliver fairly secure hardware.
Last comment: Cambridge researchers said that pin pad producers almost deliberately left wholes in the circuit board, which helped to get hooked up to the pin pad. I don't think that is the case. Connecting elements on the circuit board is not an easy problem. Very often given signal track has to be plotted through the board to the other side or even inside the board as those boards have often more than one layer. Such maneuver is implemented by having metalized whole going through the board and connecting layer that ought to have connection.
Complain about this post
Banks seem to be very complacent about fraud. Whenever I've tried to report 'Phishing' attempts to the security section I am told - oh just delete it or ignore it and delete it! When I persist and ask where I can forward them I'm put on hold and eventually given the e-mail address.
Regards
Battling old wrinkly
Complain about this post
Re Chip and Pin.
I guess most card fraud is done by skimming the strip and capturing the PIN (through numerous means) a cloned card without a chip can then be used in ATMs, probably overseas. APACS even allow retailers to use card readers that read the strip and the chip together - because chips are unreliable. A tampered card reader, of this type, can then log all the strips and PINs to be used later in making cloned cards.
I told APACS this years ago. First they denied it couldn't happen, then when I proved it could they ignored me.
To avoid this get two cards and phyically remove the magnetic strip and replace it with black tape. Write CHIP ONLY on the signature strip just to make sure no one uses it by signing. You can then use this in chip and pin terminals without fear of getting the strip read.
Complain about this post
It looks like cash will be making a come-back? -That is if the banks haven't gone into liquidation writing off all their assets.
Complain about this post
Banks seem to be very complacent about fraud. Whenever I've tried to report 'Phishing' attempts to the security section I am told - oh just delete it or ignore it and delete it! When I persist and ask where I can forward them I'm put on hold and eventually given the e-mail address.
Battling old wrinkly
Complain about this post
My wifes switch card has just (last week) been used in USA ,拢800.00 in 72 hours from what is called a cloned card.We spotted this and then alerted bank and asked them to block our cards it also appears to be her old card ie it was renewed last month, now we destroyed the cards by cutting up. we have been refunded by bank but it is very worrying, also it seems that there is no chip and pin in America, the bank have not been very forthcomming about what happened or why a Uk card can be used without challenge in Walmart stores in America for a purchase of approx 拢662.00
Complain about this post
card fraud is so easy to do my 8 year old could do it . I am a retailer with a small business and I have to foot the bill for fraudulent transactions you ask the customer all the required questions and the parcels are delivered to the same address as the card holder. I have proof of delivery and then you get a charge back from the bank . you go to the bank to ask for help they say its a police matter then you go to the police and they say its a bank matter
iver way you cannot win. Its a waste of time
Complain about this post
chip & pin:
Very good report - finally someone is putting pressure on the banks, credit card companies and pin pad manufacturers.
All arguments that the attack is not feasible are wrong. With little electronics engineering background and bit more in computing domain
I can tell that the attack didn't look very sophisticated. Yes one have to have the specialist knowledge, but it's not neurosurgery, i.e. there are plenty people with sufficient level of expertise.
What's more: to make it viable, fraudsters have to hire one person that would do the initial research and implementation - the rest is mere replication. With stakes of 拢400m/year feasibility argument is just false. With such payouts I could imagine whole factories producing spoofed pin pads just to be swapped for real ones at retail points.
I just wish Prof Anderson suggested solution(s) to the problem. Application of cryptography and requirement (i.e. regulation) for the pin pads to identify themselves to banks in order to finalize the transaction and having all transactions on-line. Yes, unfortunately substantial amount of card transactions are still off-line, i.e. given retailer accumulates a batch of transactions and at the end of the day processes them. It can be seen on our bank statements, which very often show transactions with delay of couple of days. On-line, real-time card and card owner verifications are doable with present amount of technology modern societies have at their disposal. Also the whole area of trusted hardware and/or tamper-proof hardware, both of which have seen many research done by industry and academia comes into mind with regards to pin pads. As it seems from the report, pad manufacturers haven't been forced by some regulations to deliver fairly secure hardware.
Last comment: Cambridge researchers said that pin pad producers almost deliberately left wholes in the circuit board, which helped to get hooked up to the pin pad. I don't think that is the case. Connecting elements on the circuit board is not an easy problem. Very often given signal track has to be plotted through the board to the other side or even inside the board as those boards have often more than one layer. Such maneuver is implemented by having metalized whole going through the board and connecting layer that ought to have connection.
Complain about this post
I had my credit and bank cards stolen and fraudulently used in the early 1980鈥檚 so I sat down and invented a secure biometric system based on the detection and comparison of subcutaneous blood vessels to tie individuals to their cards and tokens in a very secure manner. This technology is now being applied worldwide by Hitachi and Fujitsu et-all to banking transaction security鈥.only goes to show one can be too early with an invention!
You can read all about it here
Wonder why this is invention is not a British success story 鈥hh well that鈥檚 another story!
Complain about this post
Re Chip and Pin.
I guess most card fraud is done by skimming the strip and capturing the PIN (through numerous means) a cloned card without a chip can then be used in ATMs, probably overseas. APACS even allow retailers to use card readers that read the strip and the chip together - because chips are unreliable. A tampered card reader, of this type, can then log all the strips and PINs to be used later in making cloned cards.
I told APACS this years ago. First they denied it could happen, then when I proved it could they ignored me.
To avoid this get two cards and phyically remove the magnetic strip and replace it with black tape. Write CHIP ONLY on the signature strip just to make sure no one uses it by signing. You can then use this in chip and pin terminals without fear of getting the strip read.
Complain about this post
chip and Pin
I had my credit and bank cards stolen and fraudulently used in the early 1980鈥檚 so I sat down and invented a secure biometric system based on the detection and comparison of subcutaneous blood vessels to tie individuals to their cards and tokens in a very secure manner. This technology is now being applied worldwide by Hitachi and Fujitsu et-all to banking transaction security鈥.only goes to show one can be too early with an invention!
You can read all about it here
Wonder why this is invention is not a British success story 鈥hh well that鈥檚 another story!
Complain about this post
POOR SUSAN WATTS
Chip and Pin fraud reduced to anglepoise and projector-beam farce.
What is the "value added" to a technical report, on a matter of gravity, when some frustrated "student of film" is let loose on the proceedings? Is everything showbiz now? Can we expect interments shot from below and gratuitous drunken sex recorded on "knickercam?"
Complain about this post
It is unfortunate that the larger compaines refuse to take some form action in protecting the PEDs. It is just this type of laissez faire policies that has resulted in the distinct lack or rather non-existence of protection for individuals within Cyberspace. They are not treating things like this as serious, and the fact that action is not being taken, and it has been broadcast (as the cybercriminals will watch this programme too) they now know of the vulnerability and thanks to the Cambridge report, know how to execute such an attack.
Cybercrime is not being given the attention it requires. It is treated as mundane. There are some 169 000 people working within in the police force. Less than 1% of them know how to secure a cybercrime scene of crime. Less than half the police stations are capable to make use of the data gathered in the computers. That means there is around 800 effective police officers to deal with cybercrime, where there is a population of 28 million internet users.
The PED issue just adds to this issue, amongst many other things. Cybercriminals are not teenagers, they are indeed well educated people and are out to commit crime successfully. Barclaycard stated that there is no vulnerability, yet, a person can call up Barclaycard pretending to be one the top members and walk away with 拢10k. If that is possible, then surely, making use of the flaw highlighted by Cambridge will be just as easy.
There not enough being done. When people flag up issues and vulnerabilities, companies should move to correct it. There is still time to correct, but once it has been exploited it will be too late. History has shown this time without number.
More needs top be done to combat these crimes and protect the individual!
Complain about this post
In Britain Chip and Pin is not safe - why? It's about our irresponsible banks and their profit driven nature. In Europe Chip and Pin has been the norm for years (I had it 8 years ago in Germany) it is safe in Germany - this is because the kind of smart card (the proper name for the gold or silver chip) is properly encrypted.
The difference in cost between an encrypted card and an unencrypted one is about 拢1.50. It seems the banks are not prepared to foot the bill for 拢1.50 per card or ask us if we are prepared to pay it. It is far cheaper to shift the onus to the consumer to prove themselves innocent. It is shocking and frightening that the real costs of card cloning fraud are not exposed. My card was recently cloned, and yes it was a petrol station. The bank clerk told me they had been overrun in our area when I reported it.
Apacs are just covering up for the fact that when Chip and Pin was introduced it was a rush job done on the cheap and that we - the consumers would have to foot the bill for putting it right - the very idea that you can convince banks in Serbia or Albania to upgrade to chip and pin is a nonsense and a red herring, the truth is we deserve to have properly protected - i.e. encrypted bank cards - anyone got 拢1.50?
How do I know this? I used to work for an IT security company closely involved with the use of smart cards for encryption.
Complain about this post
POOR SUSAN WATTS
Chip and Pin fraud reduced to anglepoise and projector-beam farce.
What is the "value added" to a technical report, on a matter of gravity, when some frustrated "student of film" is let loose on the proceedings? Is everything showbiz now? Can we expect interments shot from below and gratuitous drunken sex recorded on "knickercam?"
Complain about this post
POOR SUSAN WATTS
Chip and Pin fraud reduced to anglepoise and projector-beam farce.
What is the "value added" to a technical report, on a matter of gravity, when some frustrated "student of film" is let loose on the proceedings? Is everything showbiz now? Can we expect interments shot from below and gratuitous drunken sex recorded on "knickercam?"
Complain about this post
Regarding chip & Pin and in direct response to the comments of Mike Jacks, I hope I can clarify the uses of the chip & Pin (C&P) system and that of web transactions.
C&P is only used where the card holder is present and able to key the unique code onto the PED. It's use is therefore in stores and on automated terminals, such as those found on garage forecourts.
For internet transactions there are alternative security products, known as 3D Secure code (Verified by VISA and MasterCard Secure Code). This service allows the card holder to generate a password for input at point of sale within the web process if the seller is signed up to use it. With the exception of UK Maestro, the use of this service is voluntary and not all card issuers currently facilitate this capability.
It is not possible for the C&P code to be used within a web transaction. It is possible, however, for card details presented on the card to be used to fraudulently transact on the internet. Mikes experience could therefore be a physical card security breach somewhere between creation, distribution, receipt and storage.
I hope this infomration provides some comfort with the concerns of C&P.
Complain about this post
It is unfortunate that the larger companies refuse to take some form action in protecting the PEDs. It is just this type of laissez faire policy that has resulted in the distinct lack or rather non-existence of protection for individuals within Cyberspace. They are not treating things like this as serious, and the fact that action is not being taken, and it has been broadcast (as the cybercriminals will watch this programme too) they now know of the vulnerability and thanks to the Cambridge report, know how to execute such an attack.
Cybercrime is not being given the attention it requires. It is treated as mundane. There are some 169 000 people working within in the police force. Less than 1% of them know how to secure a cybercrime scene of crime. Less than half the police stations are capable to make use of the data gathered in the computers. That means there is around 800 effective police officers to deal with cybercrime, where there is a population of 28 million internet users.
The PED issue just adds to this issue, amongst many other things. Cybercriminals are not teenagers, they are indeed well educated people and are out to commit crime successfully. Barclaycard stated that there is no vulnerability, yet, a person can call up Barclaycard pretending to be one the top members and walk away with 拢10k. If that is possible, then surely, making use of the flaw highlighted by Cambridge will be just as easy.
There not enough being done. When people flag up issues and vulnerabilities, companies should move to correct it. There is still time to correct, but once it has been exploited it will be too late. History has shown this time without number.
More needs to be done to combat these crimes and protect the individual!
Complain about this post
My wifes switch card has just (last week) been used in USA ,拢800.00 in 72 hours from what is called a cloned card.We spotted this and then alerted bank and asked them to block our cards it also appears to be her old card ie it was renewed last month, now we destroyed the cards by cutting up. we have been refunded by bank but it is very worrying, also it seems that there is no chip and pin in America, the bank have not been very forthcomming about what happened or why a Uk card can be used without challenge in Walmart stores in America for a purchase of approx 拢662.00
Complain about this post
the minkies may have got the last blog, so resending -
Dear Newsnight
watched the Ralph Nader interview with interest, maybe a man after my own heart, to answer JPs question, perhaps Obama could make him his running mate? or someone on the left could change their name to Archie Bunker and stand for the Presidency to split the Republican vote-
It will be interesting to see if the so called disillusioned on the right with a 'liberal-' Liberal!! John Mccain put someone up against him, if they dont it might suggest they feel they can pull his strings once he is in office?
Can I respectively suggest to Newsnight that you might be too overtly concerned with breaking new stories rather than developing existing stories?
I feel tonight that you should have lead with the powerful interview by Jacqui Long that brought out the appalling consquences of what has being happening in Jersey, rather than the chip and pin story,
a people centred story rather than one concerned with money, which might be of concern to some groups in our community but perhaps not most of us?
Perhaps this story might have being shown on another night or on a personal finance programme?
best wishes
Bob
Complain about this post
chip & pin:
Very good report - finally someone is putting pressure on the banks, credit card companies and pin pad manufacturers.
All arguments that the attack is not feasible are wrong. With little electronics engineering background and bit more in computing domain
I can tell that the attack didn't look very sophisticated. Yes one have to have the specialist knowledge, but it's not neurosurgery, i.e. there are plenty people with sufficient level of expertise.
What's more: to make it viable, fraudsters have to hire one person that would do the initial research and implementation - the rest is mere replication. With stakes of 拢400m/year feasibility argument is just false. With such payouts I could imagine whole factories producing spoofed pin pads just to be swapped for real ones at retail points.
I just wish Prof Anderson suggested solution(s) to the problem. Application of cryptography and requirement (i.e. regulation) for the pin pads to identify themselves to banks in order to finalize the transaction and having all transactions on-line. Yes, unfortunately substantial amount of card transactions are still off-line, i.e. given retailer accumulates a batch of transactions and at the end of the day processes them. It can be seen on our bank statements, which very often show transactions with delay of couple of days. On-line, real-time card and card owner verifications are doable with present amount of technology modern societies have at their disposal. Also the whole area of trusted hardware and/or tamper-proof hardware, both of which have seen many research done by industry and academia comes into mind with regards to pin pads. As it seems from the report, pad manufacturers haven't been forced by some regulations to deliver fairly secure hardware.
Last comment: Cambridge researchers said that pin pad producers almost deliberately left wholes in the circuit board, which helped to get hooked up to the pin pad. I don't think that is the case. Connecting elements on the circuit board is not an easy problem. Very often given signal track has to be plotted through the board to the other side or even inside the board as those boards have often more than one layer. Such maneuver is implemented by having metalized whole going through the board and connecting layer that ought to have connection.
Complain about this post
I have had my credit card replaced twice in the last year following suspicious attempts to make withdrawals from it overseas. On each of these occasions I was contacted by the credit card company on my mobile to ask if I was overseas. As soon as I confirmed that I was still in the UK and that I had no knowledge of the transactions the company said they would cancel the card and send me a new replacement. The card in question is one that I use regularly to pay for items such as fuel, sometimes many miles from home and at all hours of the day and night, and so it is difficult to identify when and where it might have been compromised. Luckily for me so far the credit card company has acted promptly and in my favour but I wonder from the item on Newsnight whether this will always be the case?
Complain about this post
What makes the chip & PIN system even more suspicious is that whilst the banks have the ability to block all international transactions - allowing you to inform them if you would like the block lifted if you go abroad, all the banks refuse to adopt these measures, even if you have been a victim of fraud. This together with the new rules meaning the police wont get involved whatsoever in reported card fraud makes me think "other forces" are at work, and thus integrating a proportion of fraud into the system. Presumably so they can either make more profits selling us "additional security measures", tax breaks or in preperation of the court case regarding bank charges for overdrafts etc. I smell a rat...
Complain about this post
An additional weakness is that the PIN is held on a database by the credit card
company and only protected by trust in ALL the employees of the company.
In addition one credit card company has sent me my PIN by post without my requesting it, "in case I had forgotten it".
Complain about this post
Outstanding Jeremy particularly with Ralph Nader - obviously not used tp being asked anything remotely taxing :-) - stating that Jeremy sounded like he was at the House of Commons. Ha ha ha ha - the US doesn't know whats about to hit its politicians. When's Obama/Hillary/John McCain going to be on???
On the chip and pin thing - of course there's going to be fraud! Since everything is on computer, how hard is it to be able to break the code and gain access to bank accounts? And why are "new" cards extra secure, yet customers not able to get the more secure version?
Complain about this post
Chip and PIN: Calculating the odds...
The PIN used is a 4-digit numeric, e.g. 1234.
The means that the odds of guessing the number (if, say, you simply found a card in the street) are 273:1
So long odds, but no match for the lottery!
This alone, is a defence for consumers. It is reasonable (particularly with multiple attempts) that the PIN *could* have been guessed. And if it *could* have been, then that is reasonable doubt.
The whole Chip and PIN idea is to move liability away from the merchants and on to the shoulders of the consumers.
Complain about this post
I was the victim of debit card fraud last August when I had my debit cards stolen from a locker whilst using a gym at a private hotel/leisure centre.
Within 25 minutes the thief had driven 4 miles to the local town and withdrew 拢250 from an HSBC cash point and then walked into NatWest and withdrew 拢1800 over the counter, without having to provide any identity.
Natwest say that I must have been negligent and that I must have made the pin number available to the thief, this is not the case as I have never carried a pin number in my life.
Natwest will not abide by the banking code as stated in the code that they have to prove that I was negligent with my number, in fact they were the negligent party by giving such a large amount of cash over the counter with no proof of identity, this is totally unacceptable bearing in mind that you can't draw any more than 拢250 on a debit card from a cash point.
When I questioned the bank they said that they could give up to 拢5000 over the counter with no further identity......
Natwest can't even tell me the pin number that was used..
I have been with the bank for 18 years with a perfect history.
I have never carried a pin number, it's an insult to my intelligence to claim that I can't remember a four digit number when I can even remember the 12 digit number on the front of the card without looking.
The Financial Ombudsman have been of no use having had knowledge of this case since October saying they are too busy to assign it to anyone yet.
Iain Richardson
Complain about this post
The banks' motive for foisting the broken Chip and PIN system on us was to offload the cost of fraud onto the customer who has to prove a negative - that he didn't shout out the PIN in his sleep or something.
Sandra Quinn from APACS gave the standard li(n)e that "the onus of proof is on the banks" but unfortunately JP didn't follow that up with the evidence that the banks consider that "onus of proof" totally discharged if they believe the PIN was used and they cannot publicly accept that there are ways that the PIN can be fraudulently discovered as was shown on your film.
As some of your other correspondents have said, the implementation of C&P was done in a rush and on the cheap, not even being as secure as on the continent.
A partial solution would be for the government to legislate to give genuine legal force to the "onus of proof" being on the banks as is the case in the US where - surprise surprise - Chip and PIN has not been introduced.
It is the case here with signatures, which is why getting a signature-style card in the UK is now almost impossible unless you can get your GP to lie and say you've got some disability.
Complain about this post
The banks' motive for foisting the broken Chip and PIN system on us was to offload the cost of fraud onto the customer who has to prove a negative - that he didn't shout out the PIN in his sleep or something.
Sandra Quinn from APACS gave the standard li(n)e that "the onus of proof is on the banks" but unfortunately JP didn't follow that up with the evidence that the banks consider that "onus of proof" totally discharged if they believe the PIN was used and they cannot publicly accept that there are ways that the PIN can be fraudulently discovered as was shown on your film.
As some of your other correspondents have said, the implementation of C&P was done in a rush and on the cheap, not even being as secure as on the continent.
A partial solution would be for the government to legislate to give genuine legal force to the "onus of proof" being on the banks as is the case in the US where - surprise surprise - Chip and PIN has not been introduced.
It is the case here with signatures, which is why getting a signature-style card in the UK is now almost impossible unless you can get your GP to lie and say you've got some disability.
Complain about this post
message for Ian...
why dont you get the bank to look at cctv for that day... if this person is stealing out of hotels then the chances he will be on the books of the police database....unless you had your pin number with your details he stole which you say he doesnt then its possible you were targeted someone could of shoulder surfed you in a shop then followed to a hotel and then waited till you were in the gym break into your locker and bobs your uncle as such..
Complain about this post
Dear newsnight,
Before we deal with card cloning - can you please fix your comment cloning issue on your website (many comments appeared multiple times).
Verified by Visa/Masercard secure code (online version of chip and pin) is indeed very insecure to the user and I have always refused to signup. You only need to have a keylogger/virus program to capture your card details and pin and you are in deep deep trouble (the bank will of course, as usual, say that they are not liable as YOUR verified by Visa pin is used).
It looks like consumer remedy is dependen on the card issuer. Egg seemed to have a bad reputation here, Barclays seemed to do the right thing (ableit taking 3 weeks).
For other who comments, I would urge that the card issuer is named so that consumer power knows who to avoid !
Complain about this post
Part of the issue is the fixed nature of PIN. As already stated, creates a template that can be used for another transaction. It is possible to use a system to create One time Passcodes, just like PIN, which are different every time.
It's easier to remember, use & can be used both on line and on the high street. Major banks are looking at it right now, and the 大象传媒 knows about it too, after it featured in The Money Programme last November. It's called GrIDsure. Go to www.gridsure.com/slideshow to see how it works.
Complain about this post
Chip & Pin - My husband had his card cloned and they took 拢10,000.00. We did get the money back but it took a month. We phoned the bank to inform them of what was happening and they asked us to go into the bank and money was being taken out of our account as we sat there in the bank, with both of our cards on the table. The people responsible for this were taking as much as 拢700.00 per day. Chip & Pin is not safe and now when using the card we are paranoid. Go back to signing sooner the better.
Complain about this post
Colin Shanley (#95) - wtf?
The number of combinations available in a four digit number is is clearly not 273. Where did you get that from?
It is 10,000.
I suggest you count from 0000 to 9999 as penance.
Complain about this post
Once again Ross Anderson has got the 大象传媒 all excited. I don't know if he has a genuine concern over card security or is simply trying to justify his position as a professor at a world class university. If there was real hole in Chip and pIN security, surely the boffins at Cambridge would have spotted it, and the the 大象传媒 could get really excited - Professor Ross Anderson has huge resources at hand, and hasn't yet cracked the system. He has found some vulnerabilities, but nothing the banks were not aware of.
In banking terms, card fraud is not huge. It is growing generally as a result of card issuer sloppiness and developing criminal abilities. As was pointed out last night (though not very well) the use of the iCVV would have prevented all mag stripe cloning attempts originating from the chip, and we would not be watching this on Newsnight. The issuers chose not to implement and are now reaping what they previously sowed. Eventually, the card schemes stepped in and mandated the adoption of iCVV from 1st January 2008 - though they had given the issuers two years notice.
DDA cards (one of the the new technologies that was mentioned) have been available from day one, but cost twice as much as the more usual SDA cards. Considering that the crims would take a few years to catch up (which has been shown to a true assessment), decisions were made to issue SDA in the first instance and follow up with DDA on re-issue. The banks' recent mistake was to wait too long to issue DDA cards (which are now much cheaper) because their security people and "bean counters" couldn't justify spending the extra money on fraud that wasn't yet evident. It's a bean counter thing! They call it cost / benefit analysis!
The banking industry has "chosen" not to adopt all of the anti-fraud measures that are available to them, because the cost does not necessarily justify the benefits. The issue here is that the banks should, when dealing with cardholder fraud, recognise their own limitations and give the benefit of the doubt (within reason) to the customer. This is where they are really failing.
My daughter was the obvious victim of card fraud a couple of weeks ago - the banks first response was that it was her fault, and she should go away. It was clearly fraud, but it took a phone call from me, with over 20 years of card experience, to get the money back.
Banking Code - what Banking Code?
Complain about this post
RALPH NADER: PAXMAN BIAS
Jeremy, you're so biased in that place you don't even seem aware of it. There you go saying to Ralph Nader that his candidacy prevented Al Gore, the man who won the Nobel Peace Prize for his campaigning on global warming, as opposed to George Bush, the man who wouldn't even sign the Kyoto agreement.
"Global warming" is unproven Jeremy. The trouble is the 大象传媒 has spent so much money and time trying to persuade us it does exist that it's hardly going to allow any room for doubt.
Never mind that Al Gore's silly film was criticised by a High Court judge recently for gaping scientific innaccuracy. Never mind Channel 4's The Great Global Warming Swindle. Never mind the US National Climatic Data Center's latest data, which says the earth is now cooler than at any time since 1982.
Jeremy and the 大象传媒 are so blind to their anti-Bush prejudices, they just act like global warming is a fact. Why isn't Susan Watts doing reports on the US National Climatic Data Center's latest data? North America's huge snowfall this winter, Susan? Are you awake? The allegedly lost ice has returned... on and on it goes.
This data is on the web and freely available, so why does Jeremy decry such things when the facts don't support him?
Does anyone in the Newsnight office question the pathetic prejudices of the presenters?
Complain about this post
Colin Shanley (#95) - wtf?
The number of combinations available in a four digit number is is clearly not 273. Where did you get that from?
It is 10,000.
I suggest you count from 0000 to 9999 as penance.
Complain about this post
I have recently been the subject of card fraud. I subscribe to on-line banking and check my accounts frequently. 2 weeks ago I discovered that one of my bank accounts was in the red by nearly 拢1000. I don't do red and never go overdrawn, and upon investigation I found that there were 15 transactions of various amounts all for the same retailer.
I expected a long drawn out fight to get my money back, but no, my bank has set up a complete call centre to handle fraud situations and I was surprised to be shepherded through a very simple procedure, and within 48 hours of signing a form declaring that the transactions were not mine, I had all of the money credited back to my account. I was also advised to check my statements very carefully and let them know of any charges as a result of this fraud, and these would also be reversed. The bank also cancelled my card and issued me with a new one straight away.
Well done to my bank (RBS), but it is a sad indictment of modern society that banks have to set up Call Centres specifically to handle Fraudulent transactions.
Malcolm A Otter
Complain about this post
It appears from the number of duplicated, triplicated etc.etc. blogs that your server was playing up yesterday.
I tried a number of times to no effect with the infamous 502 message.
Anyway it appears that Newsnight has uncovered a major problem which makes a nonsense of the lady who was trying to convince us that cards are safe. Are they "eck" as we say up't North.
Perhaps needs a revisit to this problem. As one "blogger" states technology can get around any security system for why does my Computer needs regular updates on its spyware and security?
Complain about this post
I've been the victim of chip and pin fraud and Visa's response has been to say I am liable effectively by asserting their own systems are secure. They say that I must have been negligent because the card and the PIN number were used together! This despite the fact that the card did not leave my possession and I can demonstrate that I was in the city where the fraud took place that day. I'm disputing this with Visa and will certainly use the argument that the Banking Code puts the burden of proof on them to show I was negligent.
Complain about this post
I watched the programme and have just seen the amount of response in your comments area alone - it is quite an emitovie subject as so many innocent people are being targetted - and no-one cares enough to introduce a better system that we can trust and feel safer. I looked at my on-line card this morning and found someone from Italy (Rome) purcahsed a railway ticket for over 拢206 on 23 Feb - whilst I was at home watching the rugby in the UK. I am quite good security wise and I never use my card abroad and try to ensure no-one else handles or sees my card details - I very rarely use the card with my PIN -and was told my PIN was used - and therefore there are only one or two area whereby I have needed the PIN details in the last 6 to 8 months - and I believe I have never left my card unguarded - also the card is relatively new (JUl 07) - so I suspect that someone within the Card organisation has passed the details on to others! No proof but I am suspicious! It seems that the majority of these offences happen in Italy or India or abroad - therefore I would like Card Companies to say to Cardholders tell us when you are going aboard (and in what location) and wish to use your cards and we will authorise access facilities abroad for that period only - and if your card is used abroad outside this time-frame then it will be rejected. It might then cut back on the number of attempted fraud cases. It is an option - and I appreciate it makes life slightly difficult but it will be worth it in the long term.
Complain about this post
My late father's debit card was cloned and money withdrawn in Pakistan amongst other places in October 2006. Fortunately we all bank with HSBC who monitor card use and notified him within days, and issued a new card. They subsequently refunded the money.
It appeared that many cards had been cloned via a local garage. Customers of other banks had a much more difficult time as accounts were drained before they noticed and banks were difficult about accepting that these were faudulent transactions. This was reported in the local paper.
HSBC are very vigilant and other members of the family have been contacted just to unusual check transactions abroad.
I have noticed reports of similar incidents across the country with no indication that anyone was acknowledging that it was a national problem - possibly organised to fund terrorism.
I have been told by IT specialists working in the field of banking that there is not a cost effective alternative to banks bearing the cost of fraud.
Complain about this post
While on honeymoon last year, my credit card was used for over 拢3000 worth of purchases and cash withdrawals. Not bad considering I had my credit card with on the other side of the world.
I only discovered the fraud because I rang to query why I hadn't received a statement and the lady on the other end of the phone kindly informed me I was over my limit.
When I logged onto my on-line account, I could see why. Someone had bought several things from PC World, enjoyed meals in top restaurants and withdrawn large amounts of cash. Obviously, chip and pin is required for all these transactions.
Apparently, the address had been changed on my account to somewhere in the south of the country and had a new card andpin issued direct to there.
The card company did credit all the fraudulent transactions but I am very wary now. I check my online transactions every day and if my statement is late, I get worried.
Complain about this post
I wish to back Alan Richardson's comments up, but it is worse than he says. Tesco and B&Q want to put your card into a reader connected to their till and have you enter your PIN in a box that has a wire that goes to your card via the till. This means that your PIN goes through the till and can be read by rogue software in the till.
This is why I refuse to shop at Tesco -- I do not consider it safe to do so.
Complain about this post