Sunday, September 6, 2009

Cover your …um… PIN

I was disturbed the other day on my way home from work, to listen to a radio interview on CBC that depicted one lady’s experience with debit card fraud.  The fact that somebody illegally copied this person’s debit card is one thing, but the fact that she didn’t have a clue about how the technology works is frightening.

The annual re-imbursement for debit card fraud is somewhere in the range of $100 million dollars each year, and growing.  The corporate response is to replace the traditional magnetic strip with chip technology.  Chip technology is harder to copy then magnetic strips and provides an embedded encryption technology to allow for secure communication of the card data to your bank.

I did a little Googleing on the technology and found lots of corporate propaganda about how it is ‘virtually impossible’ to copy and ‘more secure’ but was unable to find out any of the specifics on how it works.  Presumably, the chip works like your web browser and does some kind of point to point encryption to send the card data to the card reader.  Then your PIN is entered into the card reader to validate the transaction.

This lady on the radio had it in her mind that the mere presence of the chip on her new card made her transactions more secure.  This may be true to a point, but ‘virtually impossible’ to copy and ‘impossible’ to copy are not the same. 

For starters, the use of the magnetic strip isn’t going away completely.  It won’t be until 2015 that the chip will be fully implemented in Canada.  Even once that happens, if you use a card reader that takes a Magnetic strip, it can be copied at that time…not the chip mind you (yet) but the same information that technology today allows to be copied.  A transaction can still be made from this if your PIN is compromised.  Many countries have no plans to move to chip technology and have access to the interac network.

The only real protection you have is to protect your PIN.  This means that you need to make sure that nobody ever gets access to both your PIN and your card.  Since you can’t guarantee that nobody will get access to your card information, it’s up to you to protect your PIN.  Here are some suggestions:

  1. Don’t use and easy to guess PIN.  Your birthday, your anniversary, kids birthdays, etc. are a mistake and can be easily guessed by bad guys.  Use something random.
  2. Don’t write down your PIN…anywhere.  There are only so many things that a 4 or 5 digit number written on a discarded post-it note can be.
  3. Don’t tell anyone your PIN.  Your wife, your kids, anyone.  You may be able to control how you protect your PIN, but if anyone else knows, you have no control over what they do with it…don’t fool yourself.
  4. Cover the PIN-pad when you enter your PIN.  This may look a little silly at times, but be paranoid about it.  Pin hole cameras and shoulder surfing is the norm for this type of crime.
  5. Change your PIN often.  Go to the bank and they will let you change your PIN.  Do this at least twice a year, then if someone gets your PIN and card info, you cut them off at the knees as soon as you change the information.
  6. Get a new card periodically.  If you get a new card, the old one is no good anymore, if someone has stolen it, they get nothing.
  7. Watch your statements and question every transaction that you don’t recognize.  Use common sense.

1 comment:

Anonymous said...

The worrisome thing about chip and PIN is that it is backwards compatible. Chip gets damaged? you still need to be able to buy your twinkies so it will fallback to mag stripe. The information encoded on the stripe is not encrypted and the format is well known. Generally speaking all the black hat needs is your card number and your pin.

In general the chip is given a PIN to verify and will return a code based on success or failure. This is done as an offline verification. After so many failures (generally 3 but can vary) the chip will lock itself until repined or a successful online verification.

There have been hacks where a specially crafted card has a very thin cord coming out the opposite end of the card into a netbook. The netbook then responds with the PIN_CORRECT code, and the transaction is verified by CHIP and PIN (the banks wont tell you this, but they won't refund a chip and pin transaction as it is 'secure'). Generally speaking a cashier is smart enough to notice the cord going down the black hat's sleeve, but with bulky coats and unmanned cash registers it can be done.

The chip's are also fairly finnicky and break easily enough. At that point either the failback to mag stripe will wortk, or the cashier can manually enter the card number into the terminal and it will work like a credit card.

Chip and pin is broken. WEP broken.

Not to mention that most terminals are made in China and some have been shown to have malware and trojans in the PCB that skim the card number and PIN and dial home.

The entire system is scary bad.