Chip and Sin

Over the Kitchen, DK not only refrains from his usual line in invective but relates a rather disturbing story about the use of Chip and Pin cards which resulted in this statement being made by a senior member of staff in HBOS’s retail banking division…

Up to 40 minutes after any Chip & PIN card transaction, the retailer may access your confidential details [this includes your card number and your PIN number] and submit any number of further transactions without your presence or consent. This is perfectly legal practice. The onus is then on the customer to challenge these subsequent transactions with their bank, once the customer actually becomes aware of them.

I beg your pardon?

DK has the full backstory to this, which started out innocently enough with a cock-up at a petrol station but which goes on to raise some fairly serious question marks about whether the Chip and Pin system is quite so secure as the public have been led to think.

One thing that isn’t clear from DK’s article, as I suspect the explicit question wasn’t asked, is quite what HBOS means when it states that ‘the retailer may access your confidential details [this includes your card number and you PIN number]’.

Do they mean access in the sense of being able to pull up a transaction screen in which this information is already inserted in the relevant place, albeit obfuscated by lines of asterisks – as is common practice when web browsers pull a password out of cookie to save you the bother of typing in [and remembering] your password for loggin in to something like Gmail or Hotmail – or are they actually saying that this information is revealed to the retailer in a transcribable form which could be written down and used at a later date?

One would certainly hope that we’re talking about the former, but can one really be sure?

Second, there this whole business of the retailer being in position submit further transactions using your card details, for up to forty minutes, and without you either being present or even knowing what the hell they’re up to. The potential for fraud in this should be fairly obvious to anyone and it does rather make a mockery of the whole claim that Chip and Pin transactions are much more secure than the old-style swipe and sign way of paying for your shopping.

Third, given that retailers have this kind of access, and that your card details are either stored or still accessible, locally, for forty minute after your original transaction one has to wonder exactly how secure the equipment is in terms of the potential for tampering. Is it possible, yet, for an electronic reader to be attached to a Chip and Pin terminal in such a way as the stored/accessible card information might be downloaded from the system to enternal storage device.

If this hasn’t already been done, then you can bet that it will be in the not too distant future, as from long experience it should be obvious that no matter how secure you think a particular system is, someone, somewhere, will eventually crack it – and in the case of Chip and Pin, and with the increasing use by Supermarkets of ‘self-service’ checkouts, the incentives to develop such a system to enable Chip and Pin cards to be easily cloned is going to be pretty high.

Finally, and as aside, one would presume that the rationale for premitting retailers this kind of access to the system is to allow for corrections to be made when the retailer realises that the customer has been either overcharged (yeah, sure) or undercharged for their purchase but has left the premises before the error has been spotted.

Thinking about that, one cannot help but think of all the shops one has used, especially newsagents (for some reason) where one finds displayed prominantly behind the counter, a sign bearing a legend to the effect that, in the view of the retailer, its the customer’s reposnsibility to check their change before leaving the counter, after which point the transaction is concluded and any mistakes cannot be corrected.

Quite how this sits, legally speaking, I’ve never got around to checking as its generally the kind of thing that one accepts as being a game of swings and roundabouts – sometimes you get given too little change and you lose out, other times you get given too, and if you can make it out the shop without the retailer cottoning on to their mistake then the money’s yours by dint of all the times you’ve lost out the other way. One way or another, the assumption is that, all things being equally, these things will break even over time, so you take the occasional loss philosophically as long its a matter of loose change and note something like a fiver ot tenner.

Obviously, if retailers can alter or transactions after the fact without your knowledge then that alters the nature of the game and, in turn, make the question of the legality of the ‘please check you change’ sign a mater worth pursuing.

One way or another, the lesson here has to be not to assume that Chip and Pin is in anyway foolproof, while at the same time, the question has to be asked as to why the banks have neglected to mention any of this up to now?

Any blogging Parliamentarians about who’d care to do the asking?

2 thoughts on “Chip and Sin

  1. I am no lawyer, but I would assume that the initial typing in of the PIN in response to a transaction would count, legally speaking, as you the payer authorising the payment of money to the retailer.

    Any FURTHER transaction would not count as being part of the authorised one, since obviously the payer has not authorisedthe retailer to do anything.

    It would, therefore, fall into the series of offences that include fraud, obtaining money by deceit and unauthorised transfer of funds. Criminal offences, in other words.

    This being the case I really do wonder at the sort of brainless fuckwit who could conceive of and implement such a system; a credit card transaction should be a one-off event with a clear timestamp so that fraud can be detected easily.

    Worse, though, is the sort of criminal negligence which actually tolerates this in a working system.

  2. I think we have started the process of learning that

    i) Our identities don’t belong to us

    ii) Neither does our money

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.