h2g2 The Hitchhiker's Guide to the Galaxy: Earth Edition

I heard that someone had their card snatched from the card reader in Burtons the other day. The thief was watching as number was punched in - he got away and drew out £500 before the card could be blocked.

The moral of the story: put your hand over the keypad while you type your pin. It seems sort of silly and almost rude at first (like you're accusing the people around you of being thieves), but after a few times it becomes quite natural.

Oh, and keep an eye on those pesky cabbits, if you so much as look away for 5 minutes they've eaten up all the carrots.

Did you mean rabbits

Dogster might have meant "cabbies". You know how mad they are about carrots! Next time, leave one as a tip!

While I was serving at the checkout the other day, a man went to enter his PIN, but seeing that the guy next in the queue was a bit too close, very bluntly told him to "Back off"! I was thinking uh-oh here we go... but the guy complied.

No he meant CABBITS (of which I am the keeper), as in +
Suggest you watch Tenchi Muyo / Tenchi Universe and all will be revealed.
More info here:
A851140
A3235781

The real trouble seems to be that the shop computers not only store the needed info to conduct a bank transaction, but it also stores your PIN number. It is encrypted, but the encryption keys are also on the shop computer - so it is one easy hack, or rob, and then you have a shedload of account details and PIN numbers. You then create your own card with all the relevant details and go to any ATM and clean out the people how believed chip'n'pin meant more security...
BCNU - Crescent

"The real trouble seems to be that the shop computers not only store the needed info to conduct a bank transaction, but it also stores your PIN number"

Got any links to confirm that?

Chip and pin helps reduce card fraud:

http://news.bbc.co.uk/1/hi/business/4779314.stm
"chip-and-pin system cut...card fraud by 13% in 2005, according to ...Apacs...Losses due to the fraudulent use of credit and debit cards fell last year by £65m to £439m"

Unless of course somehacks the shop computers:

http://www.theregister.co.uk/2006/03/13/citibank_fraud_follow-up/
"An ongoing ATM fraud problem that forced Citibank into reissuing an unspecified number of US credit and debit cards
Citibank said it blocked PIN-based transactions of Citi-branded MasterCard cards in the UK, Russia and Canada to protect US customer accounts
Litan, by contrast, suggests the theft of PIN data is the more likely cause of the security flap
Gartner believes that these combined bank actions reflect the largest PIN theft to date — and point to a new wave of 'PIN block' card fraud," Litan writes. If hackers broke into retailer servers and steal PIN blocks that represent encrypted PIN data as well as terminal encryption keys (typically stored on retailers' terminal controllers), they might be able to determine a cardholder's PIN and create counterfeit cards that enable them to withdraw cash at ATM machines."

"Litan, by contrast, suggests the theft of PIN data is the more likely cause of the security flap
Gartner believes that these combined bank actions reflect the largest PIN theft to date — and point to a new wave of 'PIN block' card fraud," Litan writes. If hackers broke into retailer servers and steal PIN blocks that represent encrypted PIN data as well as terminal encryption keys (typically stored on retailers' terminal controllers), they might be able to determine a cardholder's PIN and create counterfeit cards that enable them to withdraw cash at ATM machines."

Hmm, can't say I'm convinced by that arguement...

Firstly, it would mean that the hackers would have to break into two separate computer systems (that don't even exist in the vast majority of smaller retail outlets).

Personally I'd be more worried about ATM-based card skimming/PIN theft.

"that don't even exist in the vast majority of smaller retail outlets"
Well I guess that'd mean they'd target the big retailers that do have them. And, by definition, would have a lot more PINs on them too.


It's possible. Someone will give it a go if they haven't already.

" would have to break into two separate computer systems "
Not sure what you mean? And don;t forget, by 'break in' or 'hack' , they probably mean 'have an insider get the access details' in most occaisions.

The way the system physically works in France with Chip & Pin systems is that the terminals themselves are connected to a phone line...

When you put your pin in, if it's for over a certain total (or you've spent too much this month) the terminal itself rings up a central control to check your card's validity, otherwise it just stores the transaction details...

In larger stores it is also linked to the EPOS (till) computers, so it'll transmit the card number and amount to the till.

So, the card number itself is relatively easy to get hold of if you're an insider... Just print out a summary of all transactions during the day from the terminal (the system purges itself at three in the morning when it uploads all daily transactions to your bank's computers) Alternatively, the card numbers will all be in the store's till computers... Unfortunately, if any pin numbers are actually stored then they'll only be stored within the terminal itself, which doesn't have the facility to print them out, won't answer an incoming phone call and is not the easiest thing in the world to hack.

Anyone trying to get into a store's computer system will be trying to hack into a PC-based network system, but someone trying to get into a card terminal is trying to hack into a secure, proprietory, non-pc based computer system with no direct access from the outside world - Good Luck!

Well, thanks for putting me onto an interesting half hour or so of reading!
I've just been skimming the security protocols and process for PIN authentication by Chip and Pin as specified by EMVco.

But basically, although what you posted may well be true for France, it isn't for the UK or indeed most of europe (or anyone using EMVco).
The keypads/terminals and the software they run, and the encryption routines used are not proprietry. There are companies that make the units and they all have to conform to very tight security standards. So we are not talking one retailer/one solution.

A system not being PC based is not a deterent to hacking. Indeed, almost any system you care to mention that is worth hacking, isn't based on PCs - or even wintel.

The card, the keypad, the terminal and the bank system are all accessible from the outside world. That access is protected. But it is there. And it is two-way traffic so commands can be sent to alter or query each part of the system.

Into all this you have to plug the idea that actual software behind all this is written by people who did not design the system. It will have bugs. There's a lot of power to the card reader/terminal.

My shop has a chip and pin termminal that is connected to a phone line. When a customer puts the card in the machine I then have to enter the amount and hand the machine to the customer who then puts their pin in. If the pin is correct the terminal says it is accepted, it then dials the bank, sends the info and we wait for an authorisation code. This all takes about 20-30 seconds. We don't store any information as far as I know.

I have been in some stores where the whole process only takes 5 seconds and I wonder whether these are the ones who don't wait for authorisation?

Lady, it's generally up to the individual retailler and their bank to negotiate the threshold figure at which the terminal will require authorisation... A lot depends on what sort of business you're doing.
(Oh, and debit (switch) cards are automatically verified by telephone).

There's more than one level of authorisation. Some authorise in the keypad, some in the terminal and some at the bank. It depends on how it is set up and also depends on the transaction and how it fits the card user's profile.