Chip and Spin

3 June 2008
Malachy Browne

Following a litany of scandals from overcharging to stolen laptops, Irish Banks recently invested €100m in a security system that fraudsters can easily breach. In March, the Dundrum Shopping Centre was targeted in a spate of ‘skimming' – a form of theft where criminals clone bank cards, capture PIN numbers and empty bank accounts.

In 2006 and 2007, Irish Banks invested massively in ‘Chip and Pin' technology to safeguard against skimming. Thousands of new bank cards were issued with security chips, adding an extra layer of security. And instead of signing for purchases at a Point of Sale (POS), customers were forced to enter a PIN number. ‘Chip and Pin' succeeded initially, and the incidence of skimming fraud fell in 2007 (albeit offset by a rise in internet fraud where PIN numbers are not required).

However, fraudsters discovered that ‘Chip and Pin' security works only in countries where every ATM and POS is ‘Chip and Pin' enabled. A cloned card (without the chip) will work just as well in Bulgaria or Latvia where the system is not used. Eastern Europe is where sums of up to €7,800 were recently withdrawn from Irish account holders who were skimmed in March.

Irish banks will reclaim their customers' monies from overseas banks that facilitated the bogus transactions. So in effect, all Chip and Pin has achieved is to protect Irish Banks against the fraud.

The Dundrum scammers netted up to €200,000 in one month: a fraction of the €14m in annual banking fraud.

Cheap chips

Cards are usually skimmed only when fraudsters can observe the PIN being keyed into an ATM or POS. Card holders are encouraged always to protect the keypad when entering a PIN. However, an elaborate scam has been developed where the details of Irish cards may be recorded even when the PIN number is seemingly protected. It relies on two vulnerabilities – the POS machine where PIN numbers are entered and the type of chip used in bank cards.

POS machines in shops and restaurants can be breached by inserting a clip that sends information about transactions to a nearby laptop. A ‘skimmed' card may then be cloned using the account details captured, but this depends on the type of chip used on the bank card.

Two types of chips exist – Static Data Authentication (SDA) and Dynamic Data Authentication (DDA). The former is less expensive but less secure – information sent from these cards is not encrypted. The latter chip is more expensive but offers greater security – data is encrypted when the card is used, so any information captured by a would-be thief is useless.

Irish Banks opted for SDA chips when ‘Chip and Pin' was invested in, and thousands of cards are vulnerable to this type of fraud. The Irish Payments Service Organisation now recommends to banks that DDA chips be used, and it is thought that new cards are issued with DDA chips. Five banks in Ireland – Permanent TSB, Allied Irish Banks, Bank of Ireland, Ulster Bank and Halifax (Bank of Scotland) – refused to disclose the numbers of SDA versus DDA cards issued to their customers. Thieves in the UK recently made off with thousands of pounds using precisely this method.

MALACHY BROWNE

Tags:

Science & Nature