Tuesday, March 04, 2008

Who can see your PIN

Researchers claim to have found flaws in some famous brand PIN entry devices - certified by Apacs and Visa. These devices have loopholes that can enable fraudsters to access unencrypted PINs and account numbers.

The "tapping" techniques to capture unsuspected cardholder's PINs require little technical know-how and fraudsters can easily attach to the PED a "tap" that records PIN and account details as they are transmitted between the card and the PIN pad. Criminals can then use this data to create counterfeit cards that can be used to withdraw cash at ATMs in countries where Chip and PIN hasn't yet been implemented. (Read more)

In another report, a British criminologist has warned that the new security card technology could actually increase, rather than solve, the problem of identity theft and fraud. The researcher said that identity cards and chip and pin technology for credit cards were unlikely to alleviate the problem, as fraudsters react with more creative responses and individual vigilance and knowhow, which remains the best protection against fraud and identity theft will decrease. (Read more).

The biggest exposure to fraudulent transactions in my view is the lack of control that a subscriber have on what can be done with his/her PIN. How is the PIN dealt with, can it be intercepted or is it stored anyway along the line. Any third party device or transmission line that the subscriber does not have control over is a possible source of attack. PIN entry devices that are not under the direct control of the subscriber is the weak point. It is possible to utilise these devices to capture a PIN fraudulently without the knowledge of the subscriber.

Techniques are available that enable a subscriber to enter their PIN on a mobile phone in a secure way that can also be certified by banks and credit card associations. The difference with this approach is that the PIN is entered on a personal device that is (usually) under the control of the subscriber and tampering in order to capture a PIN fraudulently is much more difficult.

No comments: