Tuesday, February 06, 2007
“Chip & Spin” could mean your bank can easily defraud you
A fraudster sets up a fake terminal in a busy shop or restaurant. When a genuine customer inserts their card into this terminal, the fraudster’s accomplice, in another shop, inserts their counterfeit card into the merchant’s terminal. The fake terminal reads details from the genuine card, and relays them to the counterfeit card, so that it will be accepted. The PIN is recorded by the fake terminal and sent to the accomplice for them to enter, and they can then walk off with the goods. To the victim, everything was normal, but when their statement arrives, they will find that they have been defrauded.
The important point here is that banks have previously claimed that if a fraudulent Chip & PIN transaction was placed, then the customer must have been negligent in protecting their card and PIN, and so must be liable. This work shows that despite customers taking all due care in using their card, they can still be the victim of fraud.
Details online here and it looks relatively easy to do. A child really good at electronics could probably set this up.
[Note: The (UK) Theft Act can give long prison sentences to those who "fraudulently seek to deprive". As of now "Chip & Spin" is by now well enough known in bank security circles. It is thus fraudulent for banks to claim that credit card pin codes are secure and thus blame customers for all breaches in (chip & pin) security. For legal reasons no threat or implied threat is best made to banks on this basis but ultimate blame is clearly squarely with the banks at this time. "Chip & Spin" is certainly only one of many such techniques and is relatively easy at this time. The problem does not seem to have arisen in the same way with non "chip and pin" cards and it could be said that the chief advantage of "chip & pin" to banks is for banks to take advantage of a (faulty) loophole they did not have before. Take knowledgeable legal advice if you have to.]
The important point here is that banks have previously claimed that if a fraudulent Chip & PIN transaction was placed, then the customer must have been negligent in protecting their card and PIN, and so must be liable. This work shows that despite customers taking all due care in using their card, they can still be the victim of fraud.
Details online here and it looks relatively easy to do. A child really good at electronics could probably set this up.
[Note: The (UK) Theft Act can give long prison sentences to those who "fraudulently seek to deprive". As of now "Chip & Spin" is by now well enough known in bank security circles. It is thus fraudulent for banks to claim that credit card pin codes are secure and thus blame customers for all breaches in (chip & pin) security. For legal reasons no threat or implied threat is best made to banks on this basis but ultimate blame is clearly squarely with the banks at this time. "Chip & Spin" is certainly only one of many such techniques and is relatively easy at this time. The problem does not seem to have arisen in the same way with non "chip and pin" cards and it could be said that the chief advantage of "chip & pin" to banks is for banks to take advantage of a (faulty) loophole they did not have before. Take knowledgeable legal advice if you have to.]
# posted by uv : 9:01 AM
Subscribe to Posts [Atom]
