Analysis: The rise (and fall) of Chip and PIN
IT PRO traces the history of Chip and PIN in the UK and how criminals have began to target its weaknesses to commit fraud.
It's already difficult to imagine Britain without Chip and PIN. It is difficult to believe that before 2006 we actually lived in a time where it was common for us to hand over a card to a retailer, let them take it away from us for processing, and where security was based on whether somebody thought your signature matched.
Chip and PIN replaced this manual process, and as a security counter-measure it usually works. However, it is not flawless, and it has been reported that several law enforcement bodies are conducting detailed investigations into its weaknesses.
It all started so well. Back in late 2006 we were there to see Chip and PIN mark its official six month birthday, and it was trumpeted as a massive success. It was responsible for a 60 million reduction in fraud in 2005, but the warning signs were already there in the form of a 21 per cent increase in cardholder not present (CNP) fraud.
We were also there to cover Chip and PIN's first birthday at the beginning of 2007. By this time all credit and debit cards in the UK had been replaced with Chip and PIN-capable ones, but again joy was tempered as security experts claimed fraudsters were simply moving to other ways to defraud account holders. This meant more sophisticated ways for hackers to break in, such as targeting back-end systems, as well as more CNP fraud.
The same month IT PRO saw the first example of hacking Chip and PIN terminals directly, thanks to researchers from Cambridge University.
First of all they managed to configure a Chip and PIN terminal to play Tetris, but more seriously they could sabotage a reader to commit fraud.
One of the biggest criticisms of Chip and PIN is that it shifts responsibility for fraud to the victim rather than the retailer, making it harder for innocent cardholders to avoid losing money.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
The Cambridge researchers this year discovered that it was possible to hack Chip and PIN terminals, obtain PINs and collect credit and debit card details. The research paper claimed that all you needed to tamper with readers was "a bent paperclip, a needle, a short length of wire and some creative thinking."
But whatever the case it is impossible to argue that Chip and PIN is not a better system than the one it replaced.
In March APACS claimed card fraud losses decreased two years in a row, while card fraud abroad in countries that do not use Chip and PIN had increased by a massive 70 per cent.
The current problems are largely to do with the fact that criminals are cloning cards and using them in places where Chip and PIN has not be implemented, rather than actually exploiting Chip and PIN technology flaws on home soil. However, it is disturbing to know that there are now factories out there which have the equipment to hack Chip and PIN cards and create counterfeits.
Banks have to acknowledge that there are so many ways PIN numbers can be acquired that fault can no longer be blamed wholesale on victims being careless with their PIN numbers.