News Archive

PIN Flaws

by msecadm4921

PINs are no longer fit for purpose in the modern world according to Jonathan Craymer, chairman of authentication product firm GrIDsure:

Every day there appears to be another instance of credit card con taking place. Just this week, Dame Joan Bakewell became a victim of fraud when a cash machine she was using was targeted by shoulder surfers using a ‘Lebanese loop’. So why is anyone surprised at what was practically inevitable from the word go with credit cards using PINs? The whole system is flawed because these fixed codes, or ‘Pretty Insecure Numbers’ are so easily captured by criminals in all kinds of ways, from tampered key-pads in garages to direct extraction en masse from banks’ databases in far flung parts of the world, and not forgetting good old shoulder-surfing.

Another flaw with PINs is that they were never intended to be used online, in case it allowed them to fall into the wrong hands, which means that the £1.1bn Chip & PIN system rolled out in Britain in 2006 simply isn’t ‘fit for purpose’ in a world which is increasingly turning to e-commerce.

So what are the alternatives to the system we already have? Clearly there is a strong case for one-time codes for use with cards and these would be more secure, as the code could not be used again, even if criminals got hold of them. APACS and some of the banks have already given their support to calculator-like devices to create such one-time codes for online banking, and it’s our understanding that this system may be extended to allow card users to make online purchases.

However, using a device such as this could open up another whole raft of problems. If criminals can get hold of card-holders’ PIN, – which the RSA report clearly indicates is happening more and more – then armed with the code generating devices helpfully provided by the issuers (which apparently work with any card) crooks will also be able to make online purchases. At the moment they can only make fraudulent purchases over the counter or take money out of ATMs when the stolen or cloned card is present, but if APACS’ idea of using sleeve readers comes to pass, they’ll be free to go online with those cards as well. How secure or well thought out is that?

In our view we need a revolutionary, not evolutionary approach to the problem. The whole system needs to be overhauled, rather than trying to patch up a leaking boat. It would be a simple operation to replace all fixed PINs with software-based one-time codes – without the need for expensive, inconvenient additional hardware. By doing this they can use existing investment in hardware and while they’re doing this, with a single stroke the issuers could create a single card-user ID system to replace both Chip & PIN and 3D-Secure (Verified by Visa and MasterCard SecureCode) – making life a lot easier for card holders and harder for crooks.

Clearly banks were trying to create a stronger system than signatures, and probably sold it to themselves and the retail industry by arguing that with codes (that only the user could possibly know) it would shift more responsibility for fraud on to card holders’ shoulders. But this idea is back-firing badly and needs to be revised without delay, before the levels of fraud get out of hand.

Related News

  • News Archive

    State Talk

    by msecadm4921

    The Security State: history and the making of public policy is the title of a June 19, 7-9pm event. The IHR (The…

  • News Archive

    UV Aid

    by msecadm4921

    West Yorkshier Police officers in Calderdale are being given portable UV key ring lights to help detect crime. The small key rings…

  • News Archive

    Car Park Cameras

    by msecadm4921

    A series of new CCTV systems are in car parks dotted along the five miles of Swansea?s foreshore. Swansea City and County…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing