By Gemma Simpson, 1 February 2007 16:25
NEWS
A chip and PIN device is going nationwide this week which incorporates a magnifying screen that distorts the machine's keypad to prevent shoulder surfers stealing PIN numbers.
silicon.com readers were quick to share how they would build on this simple idea to make paying by card a whole lot safer.
Stephen Meredith, marketing director of IT security from York, said: "I think they should go the whole way and build private cubicles next to each checkout with armed guards."
silicon.com Public Sector
Get the latest public sector news straight to your inbox. Sign up for the PS newsletter today!
Nick Cole, a reader from Scotland, said society is over-dependent on chip and PIN technology and said it generates a false sense of security.
He added: "What is required is a mix of solutions to be taken together, some low-tech, some high-tech."
A novel suggestion came from Jonathan Baker, who said a better solution would be to get rid of the keypad and have a touchscreen that moves the location of each digit on the screen and an LCD with a narrow viewing angle so the customer can read the number - but a shoulder surfer could not.
Another reader said: "The only way to guard against fraud is to have the consumer authorise their day's purchases, online in a different session, via their online banking."
Greg Rozelle came up with a simpler low-tech suggestion. He said people should cover the chip and PIN screen with their hands and cards should ditch the magnetic strip.
Last year silicon.com reported on skimming - the major security weakness in bank cards associated with the magnetic strip.
Comments
There are 6 comments. Join the discussion
1. Philip Virgo
1) Whatever happened to digitised signatures - the arguments against them (false negatives etc. ) now appear to be trivial compared to those with the alternatives.
2) Role on the electronic spittoon, spit in the bucket for on-line DNA profiles
or, for the genteel, lick the one-time wafer and post it in the slot ...
But the old Notary Public rouines cannot be beaten - lick the stamp, stick it on and sign across it in the presence of a registered witness who takes unlimited liability - where is the up-to-date equivalent, recording and encrpyting the process for secure storage and transaction.
2. Stephen Meredith
Just in case anyone thought I was being serious my other suggestion was for retailers to adopt one of the many one-time PIN technologies that are available. Several major banks are now issuing tokens to customers that generate a new PIN every minute or so and there are also soutions which use mobile phones to do much the same thing. These are mainly intended for authenticating access to online bank information but it would be simple to extend the technology to authorising card transactions.
To illustrate the point - at the checkout the customer just needs to open their message box to extract their disposable PIN to use without worrying who is watching because the next time the card is used the PIN will be different.
3. Alastair Warren
On BBC Radio 4's Moneybox programme a few weeks ago, a spokesman for the banking industry said that the cards had to have the magnetic strip to adhere to some international standard on cards.
I guess having a UK variant of the standard, or a new UK one that didn't have the magnetic strip would is beyond the UK Banks?
So we have Chip and Pin Cards still vulnerbale to skimming, and garage forecourts that were always a problem area were allowed to install card readers that aren't tamperproof.
I am distinctly unimpressed. Chip and Pin looks like a big marketing push to me.
The failure to get this right by UK Banks has aided the criminals, and made their customers still vulnerable to fraud.
4. Yogesh Raja
Soon ID KEY system ill make fraud a thing of past. Identity fraud will continue to grow because we rely on signatures despite of knowing that in the event of crime they would not even expose person's gender.
To make signature reliable we should apply ID sticker (small sticker with person's photo and name printed on it) to the document and countersign.
Fraudsters can misuse victim's personal details but not their unique appearance (true identity or visible biometric)
Current signature system is like passports without photos and that is why it is so difficult to deter and prosecute fraudsters.
Banks say signature system is not good enough and hence implemented PIN system to conclude card transactions and yet rely on signatures on their other transactions like cheques, bankers' drafts, agreements, money withdrawal notes etc. Personalised signature system would have restored honesty with minimal effort, cost and delay as described on website www.xwave.co.uk
5. anonymous
I totally agree with Mr. Warren. The Chip & PIN people held up France as a shinning example - an 80% reduction in fraud. What they failed to tell us was that the French system was just that - French. French cards couldn't be used at any ATMs anywhere in the world, only in France.
Throughout the UK in the last four months card cloning and PIN harvesting has become a major industry. Chips work but only in a Chip environment - PINs unfortunately work anywhere, with a stolen or cloned card.
A crook with a stolen Chip & PIN card and valid PIN can hit shops or ATMs.
A crook with a cloned card and PIN can hit ATMs almost world-wide.
What can a crook with a stolen Chip & Signature card do. They can use that card in Chip compliant shop, but they have to face down shops staff - a deterrent. What they can't do, is get hard cash and this is what drives them.
Nope - I've binned my PINs - it's Chip & Signature for me.
6. Paul Clancy
The suggestion of the use of armed guards as a secure Chip & Pin alternatve shows the extent of the problem in retail Chip & Pin transactions. This is confirmed by this months issue to the retail industry of guidelines in respect of POS Chip & Pin transactions by ATMIA Debit Council but the fact that ATMIA are being involved shows the extent of the problem to the Banks who have to stand these fraudulent transactions.
At Visual Security Solutions Ltd in England we have patent pending status on 3 inventions that totally conceal the entry of a pin number into a retail POS Chip & Pin device and if these devices were used in retail outlets it would immediately totally eliminate the number of customers being targeted to obtain their pin number during a retail transaction as a prelude to taking money from their account after stealing their card.
What is ludicrous is that the Banks, MasterCard and Visa say that you must never carry your pin number or credit or debit card together to prevent both being stolen and yet this is what a customer at a retail outlet is expected to do and consequently they show to potential muggers that they have a card and disclose their pin number quite openly.
Paul Clancy - info@visualsecuritysolutions.com