to help enterprise security across Europe
The resource centre for busy senior executives seeking the latest insights into IT Compliance & Privacy issues for major organizations
 
sarbaines oxley ofcom communications regulator
Latest Resources      data protection register
compliance resources privacy resource center

Breaking Global News
Global Compliance and Privacy News
- Breaking News, updated every 30 minutes
•   Compliance, Privacy and Security
•  Money Laundering
•  Phishing
•  Regulatory Issues
•  SOX, Basel 2, MiFID


You Tell Us:
S
S
L

T
E
C
H
N
O
L
O
G
Y
We use SSL Technology for web data entry points:

Always
Sometimes
Never
What is SSL?

News
Are Smartphones Endangering Security? - Wick Hill
Dealing with Internet Security Threats - Ian Kilpatrick
How the New EU Rules on Data Export Affect Companies in and Outside the EU - Thomas Helbing
Farmers' Data Leak Highlights Old Technology Use - Wick Hill
Saving Money with SFTP - Wick Hill
UK Information Commissioner targets firm selling vetting data - Eversheds e80
12 Key Steps to Internet Security - Wick Hill
Telephone Monitoring Legality in the UK - Dechert
Firewall or UTM - Wick Hill
UK Information Commissioner demands mobile device encryption - Eversheds e80
Data loss - liability, reputation and mitigation of risk - Eversheds e80
Phorm, Webwise and OIX - BCS Security Forum
The challenges of PCI DSS compliance - Thales, Russell Fewing
"Quality" Data Vendor Spams us! Editor astounded!
National Gateway Security Survey 2008 - Wick Hill
Unified Threat Management - Watchguard Technologies

news archives
:
0 | 1 | 2 | 3 | 4 | 5 |
6 | 7 | 8 | 9 | 10 | 11 |
12 | 13
[What is this?]

Industry Blogs
Tim Berners Lee's Blog
Tim Callan's SSL Blog
Davis Wright Tremaine's Privacy & Security Law Blog
Emergent Chaos Blog
Michael Farnum's Blog
Phillip Hallam-Baker's Blog - The dotFuture Manifesto: Internet Crime, Web Services, Philosophy
Stuart King's Security and Risk Management Blog
David Lacey's IT Security Blog
Metasploit Official Blog
Jeff Pettorino's Security Convergence Blog
Jeff Richards's Demand Insights Blog
David Rowe's Risk ManagementBlog
Bruce Schneier's Security Blog
Larry Seltzer's Security Weblog
Mike Spinney's Private Communications Blog
Richard Steinnon's Threat Chaos Blog
The TechWeb Blog
Tim Trent's Marketing by Permission Blog
Rebecca Wong 's DP Thinker Blog

Newsletters
23 February Newsletter
Newsletter Archives are located in "News"

Industry Update
Internet Security Intelligence Briefing - November 2005
Find out the latest trends in e-commerce, web usage & the latest threats from adware/Spyware

Reports
Phorm, Webwise and OIX
- BCS Security Forum

'The Any Era has Arrived, and Everyione has Noticed' - Stratton Sclavos - VeriSign
Identity Security - Time to Share
Malicious code threats - iDefense
Public Alerts - updated as they happen from Stopbadware.org
Public Alerts - updated as they happen from Websense
Public Advisories - updated as they happen, from iDefense
Phoraging - Privacy invasion through the Semantic web: a special report by Mike Davies of VeriSign

Legislation
Privacy Laws & Business International E-news, Issue 57
Privacy Laws & Business UNited Kingdom E-news, Issue 60

Security Reviews
February 2007 - VeriSign Security Review
The security review archive is here

Case Studies
Finance Industry
Case Study Example

A case study on a Finance industry company.

White Papers
VeriSign® Intelligent Infrastructure for the 21st Century
VeriSign® Intelligent Infrastructure for Security
VeriSign® Intelligent Infrastructure: An Overview
Identity Protection Fraud Detection Service - description of the service
Life of a Threat - Video on Threat Management Lifecycle
Optimizing Enterprise Information Security Compliance - Dealing with all the audits
For a full list of all whitepapers, visit our Whitepaper library

Legal Notices
Privacy Policy
Terms of use

basel 2 sarbanes oxley
    legislation
data controller notification binding corporate rules BCR data transfer third countries third part data transfer basel 2 regualtor regulation regulate FSA banking network security RSA encryptin algorithm Bits sacked bank staff
Blogs compliance Reports compliancy Legislation Data Protection Case Studies data privacy White Papers data protection act News information commissioner Events security standards Links information security iDefense
Retail Solutions

Skimmers Put Chip and PIN at Risk

compliance and privacy

Current News Updates

Whither Chip and PIN?

It can't just be Shell and its UK filling stations that makes us doubt Chip and PIN, but Shell slamming its Chip and PIN equipment shut last week certainly pours a whole lot of cold water on the technology, brought in with such a fanfare in February 2006.

Before the Chip and PIN Day we had our doubts, but oddly they were not about the technology presenting attack vulnerabilities. Instead we were worried about the things ordinary people worry about:

  • What if I forget my PIN?
  • Why do I need to remember yet another number?
  • Why is this better than a signature?
  • How do I stop people looking over my shoulder wherever I use the card? I can do it at an ATM, but at the supermarket, in the newsagent, at the dentist, that is just plain impossible
  • What if I lose my card? I now need two separate letters, one with a card and the other with a PIN before I can fill my car with petrol!

Which brings us back to Shell

As we see from CRN and other media, Shell had to withdraw Chip and PIN from all its filling stations:

The move came after fraudsters stole more than £1m from customers' bank accounts by implanting skimming devices into the chip and PIN readers at three Shell stations. The fraudsters used the data gathered to clone hundreds of customers' cards for use in transactions where PINs are not required. Police said eight people have been arrested in connection with the fraud, and there is a suspicion of insider involvement.

“Shell should never have allowed anyone near that equipment” is a common statement from the man on the London Underground. But he's wrong. Equipment has to be used and it has to be maintained.

When an engineer arrives to service your equipment, presents you with an ID that looks real, and asks for a cup of tea, do you let them at the equipment? Of course you do, especially if you're a cashier in a filling station. That job is lonely, despite hordes of customers passing through.

You could argue that Shell should have a process for validating engineer visits. Probably it will now, but it didn't, and it probably didn't have a reasonable expectation that it needed one.

Gamekeepers and Poachers

There are two views in the industry at present:

“The fact that the first breach has occurred so soon after the full implementation in February, shows just how determined and sophisticated today's fraudsters are,” Andrew Moloney, senior product manager at RSA Security's consumer solutions division, said. “ Research report after research report confirms a growing lack of consumer confidence in banking online, and the impact of further breaches affecting a mainstream payment system like chip and PIN could be devastating.

Set that against Sandra Quinn of the Association of Payment Clearing Services (Apacs), who says “ This isn't a chip and PIN fraud. It's not broken chip and PIN technology in any shape or form, ” She added that there is an issue with the manufacturer of the PIN pad, which Apacs is following up. “ These devices are supposed to be tamper-proof, so it should have shut down [once the skimmer device was installed], ” she said. “ We need to find out why that didn't happen.

Perception is Reality

Ask the Man on the London Underground if Chip and PIN is safe, now. Show him the Shell facts, pure and simple, and ask him if he trusts the technology.

It is probably reasonably technically safe, but he perceives his signature as his security, not a random 4 digit number. He already feels affronted that he has to remember a number, and feels less secure because of it.

He truly does not care whether Chip and PIN failed technically or not, because he sees that the system of which Chip and PIN is a part is vulnerable.

Afterthought

Since skimmers can also monitor and record PIN entry, how confident can we be that the Shell incident wasn't just a dummy run before cloning cards with chips than lead to valid PINS? This skimmer seems to have been low tech. It may even have just grabbed the magnetic stripe on the card, not the chip contents. But oranised crime has huge R&D resources.

See also:



This site is sponsored by VeriSign – world leaders in Managed Security Solutions.
The contents of the site, however, do not necessarily reflect the views of VeriSign. Much of the content is independently authored.