Beat the Chip & PIN security scare

It's a false economy to use tech to mitigate against fraud. Chip & Pin is a classic example: it is easily hacked. The more trust we put into our technical security systems, the bigger the impact when they fail.

The best analogy for this is the National ID card. Yes, it'd be a single way to prove your identity. But herein lies the problem: once the system is circumvented, it could be used to fraud against *anybody*. So once the system is breached, the impact is far wider.

IMHO the next one to fail is the card reader that banks are using to verify your ID before you perform an Internet transaction. This will be hacked very soon; once it is, the banks will have paid a huge amount to distribute card readers to everyone, yet the system will be worthless.

Some banks use a log-in system that asks for a few characters from your password (Nat West for example). I have a 19 character password (letters and numbers mixed). So when I log on it is difficult for my password to be guessed. The chances of guessing it are 36 to the power 19 (which is big, really big). It's the best method I've come across (long passwords, mixed characters, and random characters erequested). If your bank doesn't do this, ask them to. If enough people ask, they'll change it.

I also use a log-in record sheet. I log EVERY time I log on to any of my banks. One for each bank. I always check that the "last log-in date/time" is the last one on my sheet. If it is, I tick it off. If not, I would ring the bank immediately!

Whatever methods / procedures you use, remember one thing. Systems are built by people and used by people. People make mistakes. So systems and uses of systems have mistakes. Other people are clever and can find these mistakes.

So there is no such thing as a foolproof / perfect / unhackable system. Nor will there ever be.

Re the comment "The Cambridge scientists found that it is possible to attach a small chip to the back of a typical card that can bypass security measures within Chip and PIN terminals.", the most obvious point was not mentioned as far as I can tell - try to make sure that nobody steals you card. For if the the thieves haven't got your card, they cannot use it with  this nasty new chip. Or have I missed something?

Mistyeyed: its actually common knowledge and the wedge attack which is easier is well known now (check the latest 'Computing' edition). Its really more about embarrassing the banks into taking action to secure their systems rather than blaming the customer, which they frequently do.

We are talking about a banking system that was at one point losing billions through fraudulent wire transactions placed from computers in Russia rather than actually tackling the problem and paying to secure their systems.

The wedge attack works by making a cash machine ignore the chip and think its a signature transaction, I mean a cash machine thinking your going to sign? Where? Who writes this software?

I'm a software developer and I would have been pushing to stop anything without a chip being used in a cash machine had I been on that team. And all they need to do is re-engineer the software to stop wedge attacks, most cash machines I've seen were running Windows NT.

Chris - the wedge attack is slightly different to the one reported here if I'm correct, if not I'll go read my copy of Computing again. I don't claim any sort of infallability - I've been too busy writing business processes management software recently to browse over the computer screens too much.

Either way - unsecured banking systems should not exist and they should be getting massive fines from the FSA and various governments. And I own shares in a couple of Banks?

Having read heavily into encryption systems I only know of one properly secure encryption system which should require more atoms than are in the universe for longer than people have been alive for to crack, and you would think the so called experts would be working towards using these and looking for the weak links in their security and blocking them until the only weak link left is actually the customer and not their systems.

I agree with antwebb, the credit report is a total red herring in these cases and an utter waste of money. i have lived 62.5 years without the need for a credit report and will continue to do so  for a long time - I hope.

One of the biggest pains is where people give your bank details to a company for a direct debit , this you can spot but takes some time to get it reversed .( They can get these details from a cheque of course, so no system is perfect)

There will always be criminal after your money, there was in thebible and there willbe now and forever.

This article rather glosses over just how difficult this particular hack is.

For a fuller explanation look http://www.bbc.co.uk/blogs/newsnight/susanwatts/2010/02/new_flaws_in_chip_and_pin_syst.html

While it's importance shouldn't be ignored, I doubt we are in for numerous cases of "PIN hacking" over night.

The huge discrepancy (imho), is lack of encryption throughout the transaction process and is typical of someone at some point in the past, taking the "cheap" option. Though I'm not certain, that alone, would resolve this particular problem.

That brings me to another favourite rant of mine, the possibility of using RFID tags on cards in the future. Don't even go there. If you think the above is insecure, you may as well give your money away with RFID!

All that said, and as the report concedes, Chip and PIN has resulted in a big reduction in fraudulent transactions and that fact shouldn't be lost or washed away in the hype.

The suggestion of using the love money tool to check your online banking is a really bad idea.

Why - if your bank account is hacked as a result of your internet bank details being found by a thief because you stored them in the love money tool then you will be found to be negligent and you may find your bank sticking their fingers up at you when you say your money has been robbed, they will say you should not have done that it is against our terms and conditions.

To eLJay, antwebb and oldhenry: Lovemoney don't recommend you sign up for CreditExpert or whoever permanently - they always say use the free trial! If you've never checked it won't cost you a penny; provided you cancel before the charges kick in. It can be worth checking once in a while just to see what's on there - you may find supposedly closed cards and accounts still active or incorrect address/status details, all of which may impact future credit applications, which you would have had no other way of discovering.

eLJay: if you were offered an unexpected interest rate I would say that's more reason to check what's on your report - banks use it to assess their risk in lending to you and any of the above wrong information will adversely affect their decisions. Also, that A&L check will probably now be recorded on your account and will affect future applications, so if you didn't authorise it you can have it removed from your record.

No, tommills, the police are not interested.

One reason for this is that the banks refuse to co-operate with them. This (I was told by a CID officer later) is partly because the banks do

not want any record anywhere of how big this problem really is. It

would destroy confidence in the banking system worldwide.

The most the police can do is record the crime. Even if evidence comes to light, the banks do not want to pursue it.

I know that the recording of the person trying to access my account via telephone banking still existed when I reported my fraud; I know it was due to be kept on the Co-op bank systems for another 8 hours. I know that by the time the officer called the Co-op it had been deleted. He told me this happens a lot - the banks are not interested in co-operating with the police.

The CID officer I later spoke to had CCTV footage of new cards issued in my name being used in several London jewellers to buy expensive watches, but he couldn't do anything with the footage - Barclaycard didn't want to proceed with an investigation, even though they'd lost £13k.

A tip (also tip from the CID officer I spoke to). If you are the victim of identity theft, and you have any idea whatsoever about who could be responsible for stealing your card, details or identity information, DO NOT SAY SO either to the bank or the police.

The usual arrangement for credit card or bank loss with identity fraud is that you (the card or account holder) are NOT the victim - the bank elects to carry the loss, which makes THEM the victim. You are merely a witness.

If the bank or credit card company (usually also a bank) thinks that you gave your details away through negligence in any form - and this is what will be supposed if you give a name of someone you suspect - then YOU will become the victim, and THEY will become the witness. In other words, you will have to to foot the bill because the bank will refuse to refund you.

Least said...