Monday, May 08, 2006

£1m Chip and PIN fraud discovered

As expected and predicted before the introduction of Chip and Pin, customers would be lulled into a false sense of security and be quite happy punching in their PIN number anywhere when requested. This is just what happened at Shell stations throughout the country!

Criminals posing as technicians are thought to have hidden devices that captured bank details and personal identification numbers (pins) in till terminals.

The customer hands over their card and it is swiped to obtain a copy of the magnetic data and then the customer is requested to enter their PIN. Once a new card has been created it may be used at any cash machine in the country - this should enable the criminals to obtain perhaps £500 a day from each card!

Cash machines can read either the Chip or the magnetic strip, but since many cards - mainly overseas cards - do not have a chip, they must be able to 'fall back' onto reading the strip.

My advice, only enter your PIN when your card has been inserted into a Chip reader, not when swiped by the cashier - or taken out of view.

1 comment:

Steven J. Murdoch said...

Actually the situation is a little more problematic than that.

Firstly the readers used in Shell have an integrated magstripe and chip reader; they cannot read one without also the other.

Secondly, it is possible to recreate the magstripe data from what is stored on the chip. That was the basis of this demonstration.

Expect a post on Light Blue Touchpaper soon.