“Would you like some fish with that Chip & PIN?”
It is with a small amount of thrill that I have followed recent news about “chip and pin fraud”. Users of new chip and pin debit cards have experienced the rather unpleasant surprise of having their alledgedly secure card cloned and promptly misused abroad.
First of all, my sincere sympathy to anyone hit. I know what it feels like, as I had to change my credit card after fraudsters ran up a significant bill in just a few hours on my old one.
Another thing which should be made clear right now is that there is nothing fundamentally wrong with the chip and pin technology itself. It is still a reasonable substitute for the old magstripe and signature system. So what is wrong, then?
Time after time, I emphasize that one of the typical causes of security failures is change. This is exactly what has happened here. In the original magstripe system, the pin code was used quite rarely and even then in “trusted” enviroments—such as ATMs. Some fraudsters were able to use high tech gear to copy both pins and the magstripes, but this was rare. So rare that the losses were acceptable. But even then, it took years of suffering customers before banks even admitted the problem existed. So what changed?
With the chip and pin system, the already dubious concept of “trusted terminal” is outright foolish. Banks still claim “tamper proofness” and other silly stuff, but the fact is that there are too many terminals around to properly secure them. Every bar, gas station, diner, laundry shop, tailor, etc. will eventually have a terminal. Put it another way—there will be many untrustworthy terminals.
During the transition period from magstripe to chip and pin, cards will have to carry both systems. The US inability to convert rapidly to chip and pin extends this transition period further. The problem is that the pin code for the magstripe just must not fall into the wrong hands. Together with the magstripe, it’s just begging to be abused.
The banks were faced with a tough choice. Either have customers remember two pins, or use the same pin for both magstripe and the chip. With one pin, card cloning was inevitable. The banks weighed the pro’s and con’s and decided to go for a single pin.
The banks made a deliberate choice to temporarily risk the cloning of magstripe cards, hoping that the losses could be silently covered. Their gamble has backfired, and now they are facing a real PR nightmare. Customers are losing confidence in the chip and pin system, even though the real problem is with the magstripe system.
If magstripe fraud continues to rise, banks are faced with only two alternatives. Either they have to issue cards with two separate pins, or they have to remove the magstripe.
Some day, I may just dig into the bad implementation of wireless chip and pin readers. But that’s another story.