Page last updated at 10:06 GMT, Wednesday, 13 August 2008 11:06 UK

Device 'steals chip-and-pin data'

Victims of card fraud should be refunded by their bank

Police are warning that a way has been found to hack into chip-and-pin readers to steal customers' details.

Specialist police raided a counterfeit card factory in Birmingham on Tuesday and found equipment needed to steal details and make fake cards.

Chip-and-pin technology has regularly been hailed as a success in reducing card fraud on the UK High Street.

Two people have been charged with conspiracy to defraud after being arrested in connection with the raid.


Speaking in general, Det Ch Insp John Folan, of the Dedicated Cheque and Plastic Crime Unit, said that chip-and-pin terminals that have been hacked into have been found in 30 shops in the UK.

Customers should be assured that UK retailers always take the protection of cardholder data seriously
Jane Milne, British Retail Consortium

He told the BBC that it was "a game of cat and mouse" between police and fraudsters, but one that was being tackled early by the authorities.

Thieves can steal the card readers and install a hidden device which logs information when a customer enters their pin number.

The reader is then put back in a shop, supermarket or petrol station, sometimes with the collusion of a member of staff.

Fraudsters can then use the information to create fake cards to withdraw cash in countries where chip-and-pin has yet to be introduced.

Apacs, the UK Payments Association, said that over the past three years losses on face-to-face transactions on the UK High Street fell from 218.8m in 2004 to 73m last year owing to the introduction of chip-and-pin.

But fraud overseas increased by 77% last year to 208m, 39% of total UK card fraud. Banks throughout Europe have agreed to bring in chip-and-pin cards by 2010.

Police want to hear from any retailer who has had chip-and-pin readers stolen or believe their machines have been tampered with.


"Customers should be assured that UK retailers always take the protection of cardholder data seriously and are continuing to invest millions of pounds to enhance existing security measures," said Jane Milne of the British Retail Consortium.

Apacs says that chip-and-pin remains the safest method of payment for goods and services but was never claimed to be foolproof. The Banking Code should ensure that any victims are refunded for any losses.

Banks usually refund money stolen from a victim's account by fraudsters, but there is a question of liability if customers have given away their pin number.

Security expert, Andrew Goodwill, from the Third Man group, said this was the first evidence of a breach of the chip-and-pin system, with the encryption of the chip having been broken.

An Apacs spokesman said that inquiries were ongoing to establish how the hidden devices logged pin numbers.

In the Birmingham raid, police discovered chip-and-pin terminals, card account numbers, a card writer and computer software.

Police said that these details could be used to create fake cards "on a massive scale".

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit


Americas Africa Europe Middle East South Asia Asia Pacific