Thursday, September 11, 2008

ATM PIN fraud and implications

The recent action of banks (Citi, Lloyds TSB, HSBC, Dubai Bank, National Bank of Abu Dhabi (NBAD) amongst others) in the AUE to contact their customers about a PIN compromise was widely reported (see here). The thing is that this is not new. It seems that the cloning of cards have turned into an epidemic (see for instance here, here, and here). It is actually relatively easy to clone a card (especially magstripe cards). One of the more common ways of doing this is by attaching a device to the cardslot on an ATM. (See the picture). It is also doubtful how diligently banks are reporting on these activities and how exposed we really are to this kind of crime (see one of my recent blogs).

The banks are responding to this threat by turning to chip based security. This is (rightly so) why a lot of effort is being placed on making all payment solutions EMV compliant. But indications exist that even these measures don't seem to be ample protection for the consumer (see here and here). I am of the strong believe that the only mechanism to defend against this kind of identity theft is to provide bank customers with a personal device that is connected all the time to the bank system with a secure chip in the device. In this way, the security is stored in a device that is carried by the customer and can only be unlocked with a private key, yet the bank can access the device anytime and anywhere in the world. The only device that this is possible today is the mobile phone. (Providing proper use is made of the security chip in the phone for banking too).

No comments: