Chip and pain: A financial fiasco

Not so long ago we had to sign on the dotted line when paying for shopping on a debit or credit card. Now, of course, it’s all chip and pin. Just slot your card into a handheld device, tap out your four-digit pin (personal information number) and you’re done. It’s fast, easy, and, according to the banks, far more secure than the old way.

When the system was trialled in Northampton in 2003, banks were heralding it as the answer to card fraud – complete with the reassuring slogan “Safety in numbers”. Rolling out the new till machines wasn’t cheap – it cost more than £1bn, which was borne by shoppers in higher bills. This was justified on the basis that chip and pin would drastically cut credit and debit card fraud.

Unfortunately, the system hasn’t lived up to its promise. According to recent figures from banking industry body Apacs, card fraud hit a record high of £609.9m in 2008, 14 per cent up on 2007. Even more alarming, the figure has shot up by £182.8m – 43 per cent – since chip and pin became universal on Valentine’s Day 2006. What went wrong?

Rather than acting as a deterrent, the introduction of chip and pin cards vastly opened up the opportunities for fraudsters. Previously, pins were used in the 50,000 or so bank cash machines around the country. Now they’re used on more than 900,000 tills everywhere from high street shops and supermarkets to restaurants and petrol stations.

Scammers simply had to work out a way to crack the system... and they did. Last October, Dr Joel Brenner of the US National Counter-Intelligence Executive warned that hundreds of chip and pin machines in stores and supermarkets across Europe had been tampered with, allowing details of shoppers’ bank and credit card accounts to be sent overseas to fraudsters. The details were used to take money from cardholders’ accounts.

According to Brenner, it was a very sophisticated operation: “Previously, only a nation state’s intelligence service would have been capable of pulling off this type of operation,” he says. “It’s scary.”

An organised crime syndicate was thought to have been behind the scam. It must have been an inside job as the machines were doctored, either when they were being built in China, or before they left the production line. Investigators call this “supply chain attack”. It needs slick engineers, too. Dr Brenner says the devices had been perfectly resealed after being taken apart and customised. “It was impossible to tell, even for somebody working at the factory, that they had been tampered with.”

From China, the doctored devices were shipped as normal to Britain, Ireland, the Netherlands, Denmark and Belgium, and were installed in many different outlets – typically with the help of an insider, such as a member of staff. Investigators from Mastercard International reportedly found doctored machines at branches of Asda and Sainsbury’s.

Before the scam first came to light in early 2008, hundreds of devices in Britain and other affected countries were copying account and pin numbers from thousands of credit and debit cards. The data was transmitted via mobile phone networks to underworld boffins in Lahore, Pakistan. “White” or cloned cards were then made, which criminals used to withdraw cash and to make “card not present” payments by phone or online. The illicit transactions were always made two months or so after the original card details had been lifted, which effectively obscured the fraudsters’ “cyber-trail”.

According to one Mastercard International investigator, the scam creamed tens of millions of pounds from British and European accounts. Dr Brenner believes the fraud should be a wake-up call to chip and pin manufacturers.

While banks accept that fraud exists, they insist that chip and pinremains secure. “Of course we accept that fraud can happen,” says Sandra Quinn of Apacs. “No system is foolproof. But we are not aware that the chips themselves have yet been breached.”

But Professor Ross Anderson, a security expert at Cambridge University’s Computer Lab, is far from convinced. “The banks’ claims that chip and pin would curb fraud were nothing but spin,” he says. “The reality is the system is broken.”

Worryingly, if your card is hit by “phantom” withdrawals by scammers, you can end up being suspected of fraud yourself. In February 2008, Jane Badger was acquitted by a judge who accepted her honesty, rather than the bank’s allegations. She’d spotted withdrawals on her Egg credit card account she didn’t recognise, and disputed them. She was accused of lying and ended up facing criminal charges. She was suspended from her job and spent a year battling to prove her innocence.

In March this year, the Government announced its new National Fraud Strategy to help protect consumers and businesses. The chief executive of the National Fraud Strategic Authority, Sandra Quinn (not the Apacs’ Sandra Quinn), says that it will provide a central resource for people to report fraud – which up to now has been lacking. “People will be able to call or email the centre, which will also receive information from businesses, including banks,” she says. “There is a lot of organised fraud out there and often it is reasonably small amounts of money, but it’s being done thousands of times.”

The new body’s main task is to build and share knowledge about fraud by setting up a National Fraud Reporting Centre and National Fraud Intelligence Bureau under the City of London Police.

Security expert Ross Anderson, however, dismisses the arrangement as “more worthy of Uzbekistan than of Britain.” It might sound good on the surface, but as far as he is concerned, “you have to ask how eager the City force will be to investigate offences that bankers don’t want investigated, such as the growing number of insider frauds and chip card cloning. And how vigorously will City cops investigate their paymasters for the fraud of claiming that their systems are secure, when they’re not, in order to avoid paying compensation to defrauded account holders?”

So what are the alternatives to chip and pin?Increasingly popular in Germany are fingerprint payments, which have been rolled out in supermarkets across the country. Once you’ve registered, paying for items is easy. Simply put your finger on a light-sensitive pad and the money is deducted from your account. Fingerprints are stored on a secure database. “Our system is not to be confused with fingerprints like law enforcement officers would take,” says Stefan Sewoester, sales manager for IT Werke Lahr, one of the pioneers of fingerprint software. “Only certain points of your finger are being transferred to the database and those are unique and almost impossible to fake.”

Almost impossible to fake, however, is not the same as impossible. Japanese mathematician Tustomu Matsumoto has shown just how easy it is to fool fingerprint readers. He took a cast of his finger in plastic, then poured in liquid food gelatin. Once set, the print can be placed over a finger and will fool detectors eight times out of 10.

Experts have also taken prints from glass and made convincing gelatin moulds using superglue, a digital camera, and a circuit board you can pick up from most eletrical stores. And in April 2007, mathematicians reproduced a fingerprint from biometric passport data alone.

But, according to fraudster turned FBI fraud consultant Frank Abagnale, who was immortalised in the Leonado DiCaprio movie Catch Me If You Can, no system is secure. He warned about the vulnerabilities of chip and pin as far back as 2006. “There’s no such thing as a fool-proof system,” he says. “That whole idea fails to take into account the creativity of fools.”