Bob Howard
Reporter, Money Box
|
Chip-and-pin terminals can be compromised by determined fraudsters
|
Criminals are tampering with chip-and-pin terminals in shops to steal customers' bank card details, Radio 4's Money Box programme has learned. The problem has led the bank cards industry to issue guidelines to retailers. The British Retail Consortium says it believes stricter security has eliminated the problem. The UK bank cards industry however believes this sort of fraud is continuing despite the new measures. Bogus engineers The British Retail Consortium and the UK Payments Administration both told Money Box they had heard of instances of criminals dressing up as engineers and entering shops, asking to examine chip-and-pin terminals.
They then take one away to be 'repaired', but instead they alter it so it can record the pin and card details of all future customers who use it. The fraudsters cannot create a new chip-and-pin card, but they can use the details to create their own magnetic stripe bank cards to use in countries abroad which do not yet have chip-and-pin. Steven Murdoch, an expert on chip-and-pin at The Computer Laboratory at Cambridge University, told Radio 4's Money Box the terminals could be successfully tampered with by a criminal with the right technical knowledge: "It's certainly possible to take one of these chip-and-pin terminals and add some extra electronics or software which will give the person who has corrupted it a copy of the card details and the pin." Criminal gangs He told the programme criminals had stolen details this way from customers at petrol stations and in shops: "Criminal gangs are very interested and have been very successful in doing so." Last year UK Payments Administration issued guidelines to retailers to try to stop the problem. They include making sure any "engineers" who arrive to fix chip-and-pin terminals show ID and that any work on them has to be approved by senior managers.
The British Retail Consortium told Money Box that these measures had now sorted the problem out. But the UK Payments Admininstation does not believe that to be the case. It has issued a string of guidelines to retailers including recommending security checks for anyone they employ to prevent staff colluding in chip-and-pin fraud. Even so, a spokesman admitted this week that tampering was still an ongoing problem. Weighing terminals Steven Murdoch from the Cambridge Computer Laboratory believes the only way even retailers can tell if a terminal has been tampered with is to weigh it to see if any device has been added. "There's really nothing a customer can do because a compromised terminal will look exactly that same as a normal terminal. There's really no one to protect the customer."
BBC Radio 4's
Money Box
is broadcast on Saturdays at 1200 GMT, and repeated on Sundays at 2100 GMT. Download the
podcast.
|
Bookmark with:
What are these?