Tag Archives: card security

My views on Chip and Pin

“The new secure way to pay by card” I think it was advertised as in the early days:

 

 

 

 

 

The basic idea is that you have data stored on a simcard-like chip that probably holds around 64k of data. You can purchase readers for this type of card on Ebay,and software to read them is easy to come by online.The problem here is that the pin code for the card is stored on the chip with roughly 256bit encryption. So if someone copies your card they have until the card runs out to crack the code – which probably uses the same cypher for all cards as every cash machine and chip and pin device needs to be able to read the chip.

Now after reading a copy of the chip, and cracking the encryption to get the pin code, it can be copied back to an expired card ready to be used. It can even be copied to a blank smartcard as you are now asked to insert and remove the card yourself, the till operator sometimes does not even see the card. Also self checkouts at supermarkets are beginning to be widely used where there is nobody to fool, just the machine. Any transactions made this way will be verified with your pin, which only you should know according to every card issuer’s terms and conditions, and the bank will not accept responsibility for the fraud as they believe chip and pin to be secure.

Around the time chip and pin was released (DATE -14 Feb?) the 3 magic digits or card identifying digits appeared on the back of cards to allow you to use your card online securely. My issue with this is that these 3 digits are on the back of the card plain for everyone to see, so if your card is stolen or even if someone memorises or take a picture of your card then they can use your card online. Also to make a card payment over the phone to book tickets etc. you need to read the 3 magic digits to the operator at the other end of the phone to verify the transaction. Although 99% of these operators will be honest law abiding folk working in companies with strigent data confidentiality safeguards, i.e. if they write your card details down it is shredded not left on their desk for anyone to see or pick up, some won’t be. This is probably one of the many reasons that card issuers will generally accept responsibility for this type of fraud. However, that does not stop the inconvenience of being a few hundred pounds down in your account for a week or so until the money is refunded.

So what are my suggestions to secure this quite frankly mess-of-a-system?

Just follow these few simple rules:

1. Do not give anybody your card. Place your card into the chip and pin machine yourself, even if you have to hand the unit back to the operator to enter the transaction total, if they want your money they will not mind.

2. Change your pin regularly, that way you are one step ahead of the game. To remember your new pin code you could use your phone or mobile keypad which has letters against numbers to jog your memory, if you decided your word of the month was “chip” that would translate to “2447” on your keypad.

3. Obscure those magic three digits on the back of your card with a small rectangle of electrical tape or nail varnish. You can also rub the last part of the signature strip off and memorise the digits. However, I would not recommend this as beneath the signature strip is the word ‘Void’ meaning that if your card is checked by someone in a shop it may be rejected as void.

4. Do not have the same pin code for each card.

5. Have a credit card for online transactions only e.g. a credit card linked to take the full balance from your current account every month, this helps two-fold as credit cards have credit limits which you can ask to be set lower than you are offered and you have more cover for the purchases you make using a credit card. By doing this you are limiting your exposure to fraud as there will only be a limited amount of credit available to be abused and most problems should be able to be sorted before your direct debit is due to come out of your account .

If you have anything to add to my list or any comments, Get involved below..