Emergent Chaos, and Chip & Spin

Emergent Chaos – a weblog on “security, privacy, and economics” (via risks). To pick but three consecutive good examples: Equifax CEO says identify theft is epidemic, fingerprint privacy is rubbish (as any fule kno), and the UK government does plan to sell your ID card information. One to watch.

Another one to watch, though less frequent, is Ross Anderson at Cambridge. In particular, check out Chip & Spin to find out why Chip & Pin is increasing fraud, not decreasing it.

On subject of which… Bash & I went out for dinner last night, and we noticed they were taking card payments using a wireless terminal. So out came my Palm Tungsten, and up was fired wiffi, which duly reported no 802.11 signal in the area. “In that case, ” asked Bash, “what’s the terminal doing?”. Answer at Chip & Spin, although you can guess a lot of it.. Obviously without a network connection, it wasn’tt performing any online back-end checks that, for example, I had enough money in my account to cover the bill. So it’s basically the card authenticating itself to the terminal, and authenticating me via the PIN I entered. But what suprised her most was this: if the chip happens to be broken (eg fried), the system should fall back to magstripe – which this particular terminal happened not to support. So what happens then? Answer: no authentication whatsoever. Zero. Nada.

Go read the paper. Seriously. It’s great.

4 Responses to “Emergent Chaos, and Chip & Spin”

  1. June 29th, 2005 | 9:37 pm

    It’s amazing how many people have little concept of the need to hide their PIN number and not tell people what it is. Where i work, customers regulary tell me what their PIN when it’s time for them to punch it in. Most customers also type in the numbers rather obviously, and sometimes mouth the numbers to themselves aswell. The main idea of Chip and Spin was supposedly to reduce card fraud, but in reality its there to place the blame on the retailer should any fraud incidents happen with a given customers card.

    The magstripe system should have been abolished in May, but theres still plenty of retailers who haven’t even bothered with PIN terminals yet – Morrisons petrol station for example.

    In the event of chip failiure, then the retailer is meant to use the manual rekey method, rather like when you purchase something online.

    One last thing – the wireless temrinal might have been (long range) bluetooth powered, as thats what we use sometimes, and McDonalds Drive throughs do as well IIRC.

  2. July 2nd, 2005 | 12:31 pm

    There is rather more to “wireless” than WiFi and Bluetooth, hell the French were using wireless pin thingies years before either were common place.
    Whilst Chip & Pin isn’t going to solve the problem its better than the previous system, as it moves the burden of checking away from the underpaid person manning the till, which can only be a good thing.
    Oh.. If you want an good example of something that makes fraud easy just go visit your local Tesco with self service checkouts.. You don’t have to enter a pin, or sign anything.

  3. July 2nd, 2005 | 11:50 pm

    True there’s more to the wireless world than 802.11 and Bluetooth, but these terminals are new since the last time I went to this restaurant so I don’t see it being Old French Techology – Bluetooth, perhaps. But hey, yeah, maybe I was wrong, maybe it really was authenticating me. *shrug*

    I’m not sure I agree on the “can only be a good thing” part, however… It’s true that chip &amp pin presents an opportunity for improvement over signature checking, but there are two problems here. One is that because it is supposedly so much better, the burden of taking responsibility for the fraud moves from the bank onto the customer or retailer – either of which is bad news for the customer. That would be fine if the technology was flawless and fraud-proof (which the banks say it is), but it clearly isn’t. The risk here is in blindly accepting that a technologically more sophisticated solution is a better one…

    Finally yeah, I agree, the Tesco self-service is a joke, and virtually impossible to use in my experience… :-)

  4. July 3rd, 2005 | 11:33 pm

    Tescos apparently do have security checks in place for the self service system, though they are decidedly questionable. It’s happened twice to me now: My VISA card gets declined (plenty of money in account) and along trots the self service attendant who takes you to their control station (which is a screen divided into the statuses of up to 4 checkouts) and recalls the transation which they previously ‘parked’ on the system. You then have to sign manually for the transaction, which always goes through OK. The attendant’s excuse for this is that they are security checks and happen to one in every 30 users of the system – supposedly to make sure that the person using the card is actually the card holder.