By Andy McCue, 5 September 2005 17:20
NEWS Chip and PIN technology and ID cards will make it easier for criminals to engage in fraud and identity theft instead of tackling the problem, according to a leading criminologist.
Dr Emily Finch, researcher at the University of East Anglia, claims checkout staff in shops are less vigilant about transactions because of new anti-fraud technology, such as chip and PIN cards, and that criminals are exploiting this.
Research carried out by the university found criminals are 'shoulder surfing' customers as they type in their PIN numbers at the checkout and then stealing the cards, or using a stolen card by pretending to be a confused customer who has forgotten their PIN number so they are allowed to sign the receipt instead.
Finch and one of her male colleagues conducted an experiment by seeing how often they could shoulder surf customers' PIN numbers at a checkout and found it was easy to do. They also swapped each others cards to pay for goods and yet were never challenged over using a card that obviously belonged to someone of the opposite sex.
"One of the things we found quite alarming was how much the human element has been taken out of point-of-sale transactions.
"Point-of-sale staff are told to look away when people put their PIN number in - so they don't check at all," she told The Guardian.
Criminals would also find ways around biometric ID cards by exploiting this trust in technology to detect fraudulent transactions, according to the research.
"So fraud is actually easier. There is very little vigilance at the point-of-sale any more. Fraudsters know this and they are taking advantage of it," she told the newspaper.
Finch, who also conducted a series of interviews with 'career' criminals for the research, said they are increasingly making fraudulent credit card applications by gathering personal information on victims from publicly available registers and by trawling through bins for discarded bills.
Comments
There are 30 comments. Join the discussion
1. Graham Coles
... and signature verification didn't?
For an idea of how much signatures get checked, take a look at www.zug.com/pranks/credit.
2. Troy Hoskison
What a dumb report. Obviously a completely un-bias view here. Where is the comparision to the old signature system?
Chip and pin is not the end answer to fraud, it's a step forward. Yes people can 'shoulder surf' and then steal the card. This is still harder than just having to steal the card.
The checks are just as bad with the signature system, my signature has faded from my card, only 1 in 10 times am I questioned about it.
3. Derek Cullen
I could never see how a four digit number by itself could be secure. I still think it should be combined with a signature.
4. anonymous
I was told recently at a Post Office that I could use my partners credit card in her absense as long as I had the pin number!
5. Valentin Danner
I Find this study completely stupid. When we used to sign, it was very easy to reproduce the signature at the back of the card and make fraudulous transactions that way. Chip and PIN is not entirely safe, nothing is, but you really have to know the PIN code of the card to be able to use it. There might be some people organised to do this, but simply putting a hand on top of the machine when entering your PIN can prevent other people to see. This system has been used in France for years, and if I am not mistaken, there is less identity theft there than there was in the UK with the signing system....
6. Graham Beckram
I think this 'expert' has possibly missed the point - reporting your card stolen renders the card useless even with the pin, thereby preventing ongoing transactions, whereas a stolen signature card could be used beyond the theft as signature was on the card...
If the retailer then chooses to accept a card by another means other than chip and pin, e.g. they accept a chipped card with a signature, then they are liable for the fraud themselves, which puts pressure on them to not accept the card without the pin.
7. Ken Thompson
I have always wanted my cards stamped. "Not valid without photo ID".
At least criminals would have to fake an ID card. A double protection that would slow them up.
Better have a photo ID that has the chip and Pin and your ID must match your ID on the credit card.
8. Andy
A absolutely agree. Not only are the design of the terminals in favour of checkout 'queues' for shoulder surfing (surely this is where the main attack vector comes from, not from the cashier) - but Checkout queues are now more than often slow in the UK, leading to what i only suspect is queue rage etc etc.
Lets improve the terminals design and make processing faster - and then i'm all in favour.
9. Chris Warham
I could not agree more. It seems crazy to me that we are now being forced to type a pin in full view. In a busy checkout queue it is almost impossible to shield the keypad from anyone that chose to look.
Anyone with a phone camera could easily video the entry sequence and capture the pin via hand movements. A real step backwards.
Chris
10. anonymous
I think the easiest way to combat card fraud at the checkout is to have a photograph of the card user printed on the card itself. No need for biometric data gathering, no need for extra equipment at the checkout and not even any need to sign the receipt. All it needs is the person behind the till to use their eyes.
11. Lionel A Smith
I was waiting to pay for the purchase of a couple of packets of my wife's choice of sweetener in the precinct store of a national chain only recently.
The customer in front of me was paying by Chip and PIN card. The keypad was at above waist height and in an exposed position. I consciously looke away as she began entering her pin.
It would have been so easy for those with criminal intent to have noted the number and tailed her waiting for an oportunity to obtain card.
The risks are obvious and were pointed out to the till girl. Not that she is likely to have passed on my comments to higher authority.
On my next visit I shall make enquiries.
12. A.J.Craske
Since getting her C&P number earlier this year my wife has experienced nothing but frustration with the readers not working properly- and this not with corner shops but major retailers.
Typical response is 'Have you another card because our machine doesn't like this one' to 'Our readers never work properly so we always get customers to sign'.
Yesterday, as I leaving a shop, I suddenly realised that I hadn't signed the slip - because Company Barclaycards don't yet have this facility. The assistant said 'I'm always doing that because now people C&P I forget to ask them to sign!
13. Malcolm A Ripley
I have always found it astonishing that people think that a readable signature on the back of card which a thief can copy with half an hours practice is MORE secure than a pin number on a chip ?
How ? Please somebody tell me HOW!
If chip and pin at tills is unsecure then so are all the cash machines that we have been using for years. In fact cash machines are less secure than the till due to the ability of thiefs to add a false front to the machine.
The article is so stupid quote : "or using a stolen card by pretending to be a confused customer who has forgotten their PIN number so they are allowed to sign the receipt instead."
Which is exactly the same situation as a pre chip and pin card DUH!
I am slowly coming to the conclusion that those against chip and pin are too stupid to remember a 4 digit number but are obviously too embarrased to say so. (Point to note I have never seen an elderly person forget their pin only folks in their 30's and 40's)
If you really want a secure card then support ID cards which have a range of identities including a photo. If we used an ID card then the thief would have to put on a disguise before shopping!
14. Roger Huffadine
The Information Commissioner and BACS don't care what you think of Chip and PIN.
They admit, in writing, that they are not able to enforce their own guidelines on the use of Chip and PIN and I have a letter from the IC telling me that stealing a PIN number is not an offence.
The short version, reading between the lines of the many letters that I have received,
"Go away and stop bothering me - and if you don't like Chip & PIN cut your card up."
15. anonymous
The pin pads are supposed to be positioned so that it is more difiicult to 'shoulder-surf'. We have been using ATMs for years in the UK and so this is just the same risk. With Signature verification, the signature is on the card so the fraudster doesn't even have to look over your shoulder. Chip and PIN is not going to solve all card fraud - but it is a step in the right direction and is going to make it more difficult to copy cards.
16. DP
Hardly Surprising
Chip & Pin has very little to do with security
It was introduced to shift the responsibility for fraud away from the Banks
17. DP
Malcolm: The point isn't that a signature is more secure - its that if someone forged your signature you had some chance of proving that's what happened - if someone sees your PIN it must be your fault so the Bank will refuse to pay up
18. Mike Poole
I used to have Royal Bank of Scotland card which had my photo on the back of it. Surely that would be a great complement to Chip & Pin on credit cards?
19. anonymous
Signatures clearly weren't checked... someone I worked with used his wife's card (and she used his) for several months before anyone noticed the genders and signatures didn't match the user! And supposedly with chip-and-PIN the vendor doesn't even need to look at the card at all. For instance at the Post Office the reader is my side of the security screen.
20. Tim Jeal
Lack of checking is not a new thing, I remember having my wife's switch card with me (after a day out when she didn't want to acrry her handbag).
I paid for a meal at a pub near work, gave them the wrong card, signed it with my name (sure, the surname matched but it looked nothing like my wife's signature) and it wasn't until I was putting it back in my wallet having left the pub that I noticed it was the wrong one.
No-one else noticed as the money was debited from my wife's account without any problems.
21. David Priddy
Don't believe the hype about Chip & Pin being about protecting us from fraud. It's purely about protecting the banks from fraud because now the retailer is responsible for any costs if they take a card without the pin whereas before it was the bank who was responsible for refunding the cardholder.
And regarding the comment about stamping the card as not valid without photo ID - my American friend actually has 'Please ask for photo ID' written in the sig box on her cards, yet when she visited the UK for 2 weeks she was never asked once by any shop clerk. If the shops don't train their staff correctly and the staff don't do their jobs then how can any system really work?
22. Richard Geraghty
I agree. chip & pin is no more or less secure than verification by signature. However, the only certainty is that if someone has your card and pin then there is no possability of them being queried about their right to use the card. A pilot scheme run in the North/West of Scotland required that tumbprints were inked on the back of each visa reciept. This assisted with prosecution in the case of credit card theft. this was dropped because members of the public claimed this was an infringement of their civil rights.
In my simple minded view this appeared to be an ideal scheme.
23. anonymous
I regulary use the company debit card which has my wifes name on it and no-one has ever questioned me so PIN is rubbish security.
24. anonymous
Finally an expert says it is increasing the risk of security for the man or woman on the street, this is precisely what many of us said before the chip and pin system was pushed through into general use. What concerns me also is that some young woman or old age pensioner may then be mugged by one of these shoulder serfers for their card as they leave the stores.
Personally I believe strongly that you had more time to stop the fraudulent use of a stolen card while the theif was practicing copying the signature, vital moments that make the difference between you having money in your account and losing every penny.
25. Simon
Graham Beckram hit the nail on the head : "If the retailer then chooses to accept a card by another means other than chip and pin ... then they are liable for the fraud themselves, which puts pressure on them to not accept the card without the pin."
So the bank neatly shift the problem to the retailers - so as far as they are concerned the problem is solved. It doesn't matter if it's more or less secure than a signature, it solves the banks problem.
26. Parveen Kumar
Whoever says signatures are secure.
Ever thought that you dont even need to match the signature on the stolen card, just erase the old signature and sign it as your own. So it becomes your card. Viola!!
27. Paul Tansom
Perhaps this issue is more about feeling less secure than being less secure. In practice I agree that the primary motivation for the change was probably shifting the liability from the banks to the retailers.
Personally I feel less secure using a PIN number. I feel very uncomoftable typing the PIN in, and have seen a number of PINs typed in for the cash back! If you are 'shoulder surfed' and have your card nicked then the thief can be spending within minutes. Personally I have been challenged to redo my signature several times, so it seems that the problem of poor validation by the retailer has been addressed by a system that requires validation by something that is easier to fake (if you get it).
I am getting an increasing urge to change my PIN on a regular (weekly at worst) basis, which leads to me forgetting it or spending time trying to remember and having the input time out. Queues seem slower now, and I have had a number of checkout assistants comment that they are seeing many more people using cheques than they used to!
28. Joel Watson
heh... I have used my Girlfriend's chip and pin card at least once, some regularly in every supermarket within 10 miles of my home. Just to clarify, I am male. I also have a big bushy beard. The forename on the card is Rachael. one look, thats all it would take.
Chip and Pin is a joke.
29. anonymous
I am an intgelligent person with an IQ of almost 160 so maybe I am alone in this, I don't know. I do not work in security in way shape or form but I KNEW right from the start that chip and pin technology is USELESS. I find it incredible however, that the so called experts are only now bleating about how chip and pin has made things worse, where were their voices BEFORE it was all rolled out? The whole sorry mess is pathetic. I am well aware that when I put my pin No. in at a till, ANYONE can see what I am doing!
30. anonymous
The whole point is that cashiers MUST be made more vigilant, NOT less by introducing such as chip and PIN ... hey .. there's only 10k combinations of (memorable!) numbers ... my signature is not so memorable, and with staff being more vigilant, the sig is more easy to 'forge' than a four digit number.
1234 ... there ... this 'could' be my number ... now go away ... and even in 24 hours time, you will still be able to remember it ... if you're a 'villain' with a number of cards / copied or otherwise, then you just enter the store with whatever cards PIN you're going to be using ...
It's just too easy to fraudulently use this 'new' (going back in time if you ask me ... just place your X here!) technology.