Page last updated at 13:17 GMT, Saturday, 2 January 2010

Threat to chip-and-pin terminals

Bob Howard
Reporter, Money Box

chip-and-pin terminal
Chip-and-pin terminals can be compromised by determined fraudsters

Criminals are tampering with chip-and-pin terminals in shops to steal customers' bank card details, Radio 4's Money Box programme has learned.

The problem has led the bank cards industry to issue guidelines to retailers.

The British Retail Consortium says it believes stricter security has eliminated the problem.

The UK bank cards industry however believes this sort of fraud is continuing despite the new measures.

Bogus engineers

The British Retail Consortium and the UK Payments Administration both told Money Box they had heard of instances of criminals dressing up as engineers and entering shops, asking to examine chip-and-pin terminals.

Criminal gangs are very interested and have been very successful in doing so.
Steven Murdoch, The Computer Laboratory, Cambridge University

They then take one away to be 'repaired', but instead they alter it so it can record the pin and card details of all future customers who use it.

The fraudsters cannot create a new chip-and-pin card, but they can use the details to create their own magnetic stripe bank cards to use in countries abroad which do not yet have chip-and-pin.

Steven Murdoch, an expert on chip-and-pin at The Computer Laboratory at Cambridge University, told Radio 4's Money Box the terminals could be successfully tampered with by a criminal with the right technical knowledge:

"It's certainly possible to take one of these chip-and-pin terminals and add some extra electronics or software which will give the person who has corrupted it a copy of the card details and the pin."

Criminal gangs

He told the programme criminals had stolen details this way from customers at petrol stations and in shops:

"Criminal gangs are very interested and have been very successful in doing so."

Last year UK Payments Administration issued guidelines to retailers to try to stop the problem.

They include making sure any "engineers" who arrive to fix chip-and-pin terminals show ID and that any work on them has to be approved by senior managers.

There's really nothing a customer can do because a compromised terminal will look exactly that same as a normal terminal
Steven Murdoch, The Computer Laboratory, Cambridge University

The British Retail Consortium told Money Box that these measures had now sorted the problem out.

But the UK Payments Admininstation does not believe that to be the case.

It has issued a string of guidelines to retailers including recommending security checks for anyone they employ to prevent staff colluding in chip-and-pin fraud.

Even so, a spokesman admitted this week that tampering was still an ongoing problem.

Weighing terminals

Steven Murdoch from the Cambridge Computer Laboratory believes the only way even retailers can tell if a terminal has been tampered with is to weigh it to see if any device has been added.

"There's really nothing a customer can do because a compromised terminal will look exactly that same as a normal terminal. There's really no one to protect the customer."


BBC Radio 4's Money Box is broadcast on Saturdays at 1200 GMT, and repeated on Sundays at 2100 GMT. Download the podcast.



Print Sponsor


Money Box


SEARCH MONEY BOX:
 

Podcast

Download or subscribe to this programme's podcast

Podcast Help



RELATED BBC LINKS

RELATED INTERNET LINKS
The BBC is not responsible for the content of external internet sites


FEATURES, VIEWS, ANALYSIS
Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit

BBC iD

Sign in

BBC navigation

Copyright © 2018 BBC. The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.

Americas Africa Europe Middle East South Asia Asia Pacific