19 December, 2004: Remember, a bad idea isn't just for Christmas

[ Home page | Web log ]

... with careful planning, it can last for the whole of the rest of your life. As a break from bloody ID cards, I'll draw your attention to yet more dreadful stuff in the media about Chip and PIN. Yesterday's Telegraph reported Ross Anderson's refusal to use a PIN for credit card transactions, on the familiar grounds that doing so doesn't offer the customer any protection from credit card fraud and leaves them more vulnerable to cash machine fraud. In the Telegraph piece he also notes an elegant attack which can be used by criminals to avoid having to use the (difficult-to-copy) smart chips on the cards to steal money from banks:

... He said that smart cards from Britain would end up in America, which does not use them, while stolen American cards without smart chips would appear in Britain, where readers would still be able to process old-fashioned cards.

Ross was interviewed on PM yesterday evening on this topic, and the BBC, as ever using balance as a proxy for impartiality, followed this interview with an opportunity for response by Chip and PIN, a propaganda outfit set up by the banks. The spokesperson, one Sandra Quinn, was interviewed (confusingly) by the BBC's Carolyn Quinn: (errors in transcription are mine, but I've tried faithfully to reproduce the errors of diction, grammar, logic etc. of the interviewee)

CQ: Well, let's hear now from Sandra Quinn, who's spokesperson for Chip and PIN, that's an organisation that's acting for the retail and banking industries. Um, Sandra Quinn, what about those concerns raised by Professor Anderson? People are already feeling a bit wary of having to tap in their PIN numbers in front of other people; isn't this just going to increase their concerns?

SQ: I'm very surprised that somebody of Ross Anderson's capabilities and reputation is saying such a load of tosh, to be honest. The equipment....

I thought it was nice of Sandra to get her personal attack in early in the piece. Start as you mean to go on, that's what I say.

CQ: Well, why is it tosh?

SQ: The equipment that we're using for chip and PIN has gone through a... a very severe accreditation process. It's extremely robust. The equipment that has been used in supermarkets; the equipments [sic.] that have been made at... used at small independent retailers... all those independent retailers are getting their equipment direct from their banks....

Banks, after all, never screw up security-wise, so obviously the equipment they supply will be completely immune to any type of fraud.

CQ: Well, weren't the same things said about cashpoint machines, and, err... we hear tales now about how they can be defrauded: cameras, and pictures taken, and people slotting things in. So, the, uh, professor's point was that smaller retailers, perhaps, could... could use fake machines or could find some way of getting hold of PIN numbers.

SQ: No, we don't think they can use fake machines, because the machines themselves are engineered to read the chip, so they... must be reading the chip very carefully, and that's... makes the... transaction itself extremely secure. What you will find is that this is an additional level of security to what we already have. As you said in the report yourself earlier, this is much safer than signature, because at the moment all somebody needs to do is to find our... card, learn our signature a couple of times, and start using it. You're not going to be able to have that in the new Chip and PIN environment at all.

I am glad to see that we are protected by the sophisticated security measure of, err, reading the chip very carefully. There was I thinking that we were protected by the Magic of Cryptography.

Possibly what she was trying to say was that only certified equipment may be used with the Chip and PIN cards and that (presumably) a thief's fake machine would not be so certified. Even if true this would be irrelevant, of course, because certified equipment can always be modified; or a dishonest employee could surreptitiously swipe your card through a separate reader -- to copy the magnetic stripe -- while watching what you type into the keypad, with no fakes or modifications required.

Sandra Quinn's answer here is an illustration of a useful technique. While Carolyn Quinn asked about vulnerabilities of the PIN-entry process in general, she also made the mistake of naming a specific example against which her interviewee was able to argue in detail -- perhaps not convincingly, but more easily than arguing against the proposition that crooks might find, ``some way of getting hold of PIN numbers.''

You can see something similar at work in the second part of her statement. It is true that a thief who takes a Chip and PIN card is unlikely to know the PIN for it and therefore would not be able to use it as easily as they would a card with a signature. (As I've remarked before, this isn't what matters from the cardholder's point of view, since they are insured against loss by the issuing bank. But obviously the bank cares how much it has to pay out, and it can limit this amount either by reducing the number of frauds which occur, or by refusing to pay out the compensation.) What I don't know is how much card fraud follows this pattern. It's certainly not the only way that a crook can steal money using a stolen credit card, and I'd be surprised if it were the predominant way. Yes, Chip and PIN does stop this attack. But there are lots of others it doesn't stop, and new ones it creates. Ms. Quinn mentions this case only because it is easy to argue.

CQ: But won't criminals still be able to clone cards, send them to the United States or other countries perhaps, where they still use magnetic-strip cards?

SQ: They will still be able to do that, there's in moderation. [sic. -- I have no idea what that bit was supposed to mean, actually] But what countries who are not going to be using Chip and PIN in the first moment are saying, well, they don't have card fraud.... [ cut various like waffle ]

I'm not really sure whether Sandra Quinn is really claiming that the countries which have not yet adopted Chip and PIN do not suffer from card fraud, but obviously they do. (The rest of the piece was so feeble I couldn't face transcribing it, so you'll have to trust that I haven't quoted the above out of context.)

Actually the whole interview was extremely poor; Carolyn Quinn made a good stab at asking the right questions, but as ever the interviewee wriggles off the hook, though is made to look rather silly. If you listen to the Today Programme you'll hear much the same thing from Cabinet ministers, and I suppose spokesperson for an industry lobby group is much the same sort of job. (As an aside, the interviewee's full glorious incoherence was only made fully obvious once her words were transcribed and written out in full; doing so is a little time-consuming, but a useful exercise. Mark often does much the same on his Spy Blog. No doubt your or my conversation would look just as ill-structured if written down and presented in this format, but hey, I'm not paid to be spokesperson for the government or for a cartel of financial institutions -- and neither, I suspect, are you.)

Of course, media idiocy on this subject isn't confined to interviews. Consider this absurd press release reprinted by Silcon.com, in which we are reassured that there is no risk of robbers `shoulder-surfing' (that is, watching customers typing in their PINs and memorising them) and then mugging those same customers to obtain their cards:

``Someone who sits in their bedroom counterfeiting cards is not going to go out into the streets mugging old ladies,'' [Gary Hocking, `director of chip and PIN implementation at APACS'] said.

I think all I can do here is to express surprise that the credit-card-fraudster demographic has been so exactly characterised. Probably next week they'll be hailed as the new hope for a Tory revival.

Happy Christmas, everyone!

Copyright (c) 2004 Chris Lightfoot; available under a Creative Commons License.