Whither Chip and PIN?
It can't just be Shell and its UK filling stations that makes us doubt Chip and PIN, but Shell slamming its Chip and PIN equipment shut last week certainly pours a whole lot of cold water on the technology, brought in with such a fanfare in February 2006.
Before the Chip and PIN Day we had our doubts, but oddly they were not about the technology presenting attack vulnerabilities. Instead we were worried about the things ordinary people worry about:
- What if I forget my PIN?
- Why do I need to remember yet another number?
- Why is this better than a signature?
- How do I stop people looking over my shoulder wherever I use the card? I can do it at an ATM, but at the supermarket, in the newsagent, at the dentist, that is just plain impossible
- What if I lose my card? I now need two separate letters, one with a card and the other with a PIN before I can fill my car with petrol!
Which brings us back to Shell
As we see from CRN and other media, Shell had to withdraw Chip and PIN from all its filling stations:
The move came after fraudsters stole more than £1m from customers' bank accounts by implanting skimming devices into the chip and PIN readers at three Shell stations. The fraudsters used the data gathered to clone hundreds of customers' cards for use in transactions where PINs are not required. Police said eight people have been arrested in connection with the fraud, and there is a suspicion of insider involvement.
“Shell should never have allowed anyone near that equipment” is a common statement from the man on the London Underground. But he's wrong. Equipment has to be used and it has to be maintained.
When an engineer arrives to service your equipment, presents you with an ID that looks real, and asks for a cup of tea, do you let them at the equipment? Of course you do, especially if you're a cashier in a filling station. That job is lonely, despite hordes of customers passing through.
You could argue that Shell should have a process for validating engineer visits. Probably it will now, but it didn't, and it probably didn't have a reasonable expectation that it needed one.
Gamekeepers and Poachers
There are two views in the industry at present:
“The fact that the first breach has occurred so soon after the full implementation in February, shows just how determined and sophisticated today's fraudsters are,” Andrew Moloney, senior product manager at RSA Security's consumer solutions division, said. “ Research report after research report confirms a growing lack of consumer confidence in banking online, and the impact of further breaches affecting a mainstream payment system like chip and PIN could be devastating. ”
Set that against Sandra Quinn of the Association of Payment Clearing Services (Apacs), who says “ This isn't a chip and PIN fraud. It's not broken chip and PIN technology in any shape or form, ” She added that there is an issue with the manufacturer of the PIN pad, which Apacs is following up. “ These devices are supposed to be tamper-proof, so it should have shut down [once the skimmer device was installed], ” she said. “ We need to find out why that didn't happen. ”
Perception is Reality
Ask the Man on the London Underground if Chip and PIN is safe, now. Show him the Shell facts, pure and simple, and ask him if he trusts the technology.
It is probably reasonably technically safe, but he perceives his signature as his security, not a random 4 digit number. He already feels affronted that he has to remember a number, and feels less secure because of it.
He truly does not care whether Chip and PIN failed technically or not, because he sees that the system of which Chip and PIN is a part is vulnerable.
Since skimmers can also monitor and record PIN entry, how confident can we be that the Shell incident wasn't just a dummy run before cloning cards with chips than lead to valid PINS? This skimmer seems to have been low tech. It may even have just grabbed the magnetic stripe on the card, not the chip contents. But oranised crime has huge R&D resources.