Remember the difficulties which blog readers (and I) shared regarding the use of American credit cards overseas, when the only way to complete a transaction was using “chip-and-PIN” technology?
The argument for the chip-and-PIN technology has always been enhanced security. Signatures were too easily faked (or ignored), the argument goes, and protection of having an embedded chip containing the card data, plus a numeric PIN, overrode the inconvenience caused to those (often international) customers whose cards didn’t have the requisite chip.
Chip-and-PIN terminals were supposedly tamper-proof, and the multiple-layers of security allegedly decreased risk to both the customer and the retailer.
Until now.
Researchers at the University of Cambridge have hacked a chip-and-PIN box, and in a demonstration of the machine’s weakness, reprogrammed it to play Tetris. A less jesterlike hacker might hack a box and use the terminal to capture card numbers and PINs. So much for a better mousetrap. See here. Be sure to scroll down to watch the video.
Think this new evidence will cause European credit card issuers to make it easier to use a non-chip card when making purchases? Don’t bank on it.
Related:
- Update: How to beat the chip and PIN credit card requirement?
- Rotten in Denmark: Credit cards with mandatory PIN
- “We prefer Visa cards” — just not yours
(via boingboing)
RSS (FeedBurner)
Read with Amazon Kindle
Subscribe by E-mail
Follow on Twitter
January 5th, 2007 at 9:25 am
I’m headed to South Africa in a few weeks and I was curious if anyone had any idea if PIN numbers were required there.
January 5th, 2007 at 9:58 am
Well, one continent has hackable voting machines, another has hackable credit card terminals. What’s worse? You pick…
What about those PIN-enabled ATM/debit card terminals that become more and more popular in US stores (because of lower fees for merchants)? As far as I know, unlike with credit cards, consumers don’t even have the protection of the law as far as limited liability if someone unauthorized accesses their accounts …
January 5th, 2007 at 10:21 am
1five9: I’ve heard that chip-and-PIN is prevalent around Cape Town, but that it’s not mandatory. Ask to swipe and sign.
Oliver: We’re not really trying to compete for the “whose hack-able technology is worst” championship here, are we? (An aside: When I voted in the last election here in Chicago, voters were given a choice between paper ballots and touch-screen voting machines. While I was there, every single person who was offered a touch-screen machine (“no waiting!”) vehemently refused. At least we had a choice. In other districts, there was no choice. Much like there is no choice to use a different model of credit card terminal at the supermarket…)
And you’re right, many banks don’t give the same protection as credit cards for customers using the PIN-enabled swipe terminals in the US. I haven’t used a debit card with a PIN at a store in years. More risk, and no miles… I’ll stick with the credit card.
January 5th, 2007 at 10:54 am
I work in the retail credit side of the business, so I get to see all the various cards and card processing systems that come out and sadly I’m forced to agree with you. For whatever reason, Euro issuers are dead set on the chip-and-pin model…you know how it goes: they make up their mind to take the wrong course of action and then stick to it.
January 5th, 2007 at 11:00 am
Mark, my point really is: show me a secure technology and I’ll show you someone who hacked it. I do think that in the big picture, it’s quite a lot safer for the merchant to use the PIN-based terminal than to rely on my signature looking somewhat like the one on the back of my card. And I assume the merchants pay for the machine not to protect me, but rather to protect themselves.
Is it safer for me? Probably as well; I doubt that there are going to be a ton of merchants all over Europe hacking their terminals (why bother… just write down my credit card number, expiration date and CVC code). But honestly I am not too concerned about that as my ultimate liability is very limited. Oh, and I don’t have a PIN/Chip, so my card won’t ever find its way into one of those machines.
January 5th, 2007 at 11:46 am
Oliver:
Agreed, with every tactical innovation in security, someone will innovate to counter it. And I agree that the number of people who will hack the boxes, to play Tetris or otherwise, will be few.
At the end of the day, my beef is not with efforts to make credit card transactions safer. I’m all for that. My beef is with limiting the ability of international customers to make purchases (see the “Rotten in Denmark” post). Especially if the technology doesn’t live up to its hype.
January 5th, 2007 at 12:11 pm
Makes you wonder what a restaurant will do if you present them, after enjoying your meal, with a non-CHIP-enabled credit card for payment (thinking that the VISA/MC/Amex logo on their door was sufficient evidence that your card would be accepted). Will you end up in the kitchen cleaning dishes for the rest of the night? I might just try that out next time I am in Europe. What countries did you say use those CHIP/Pin systems?
January 5th, 2007 at 3:35 pm
Thanks, Mark.
June 15th, 2010 at 12:02 pm
[...] And while the addition of Chip-and-PIN would speed in-person transactions for American banking customers abroad, and allow Americans to use automated gasoline pumps, ticket vending machines, and parking fee machines in Europe, the system still has its flaws. Security isn’t guaranteed (much as it isn’t with a swipe-and-sign setup), with some semi-comical results. [...]