With discovery of fraud card factory and increasing threats using Chip and PIN terminals, the banking industry needs to rethink the use of static PINs
The fact that chip and PIN is not infallible has hit the headlines yet again with the news that police raided a counterfeit card factory in Birmingham on Tuesday and found equipment needed to steal details and make fake cards. This latest incident follows warnings by Cambridge University researchers who recently published results of successful attempts to obtain personal identification number (PIN) and credit card details from Chip and PIN terminals. Jonathan Craymer, chairman of GrIDsure, the developer of a revolutionary new approach to authentication commented: 'Since its arrival onto the British high street over two years ago, Chip and PIN has been hailed as a success, however these recent stories show that the system's reliance on fixed PIN numbers have left it vulnerable to attack.' 'At present, few fraudsters are using the approach of hacking Chip and PIN readers as there are other far easier and more cost effective methods available to them. Fraud on the UK's high streets has reduced since Chip and PIN was introduced, but the same cannot be said for online fraud and so called 'fraud abroad'. There will always be vulnerabilities with authentication systems, but no matter what you do to strengthen the POS terminal you will not overcome the basic problem of people shoulder surfing or key logging a static PIN number,' continued Craymer. It has been suggested that the Banking Code should ensure that victims are refunded any losses, although with this latest attack, customers' PIN numbers have been used to make the transactions and in recent cases, banks have refused to refund customers where this has happened. 'With 30 UK stores already falling victim to this attack, I am sure we have not seen the last of these attacks yet simple, incremental changes - like addressing the static PIN - could so easily reduce fraud. A fraudster obtaining a one-time PIN will have achieved nothing, a fraudster obtaining a static PIN essentially achieves a ticket to a new ID and its associated account.' continued Craymer. |
