After 20 years I was finally forced to get a new debit card.
I have had to patiently explain to various store clerks that my fancy dark green TD debit card was not brand new but actually very old, so old in fact that I could not actually remember when I got it….”From before there were computers”…a comment usually met with blank stares…
My bank recently sent me one of the fancy new ones, the Chip and PIN variety.
I have enthusiastically stuck it in the bottom of every debit machine I can find…sounds a bit dirty actually…only to discover that 95% of the terminals are not enabled to take the new Chip and PIN cards. I have had to continue to swipe the card (I will save that rant for another time). The new debit card was followed within weeks by a new VISA card, again enabled with the Chip and PIN technology.
So…imagine my surprise when I read this story…turns out Chip and PIN is fundamentally broken. Let me repeat…the Chip and PIN technology that is just now being mass distributed to consumers in Canada is broken. These cards have been in wide spread usage in Europe for a couple of years and are just now being introduced into Canada.
Researchers at Cambridge University in the UK published a paper Feb 11, 2010 and have shown how to attack the protocol used to communicate between the card reader and the bank to validate a transaction regardless of the PIN entered at the keypad.
This is not a case of the bank’s servers being hacked and malicious code inserted into the process or of hackers learning our card numbers and abusing them. This is a case of a poorly designed protocol being released and someone finding a big gaping hole in it.
While the banks are refuting the finding and various industry pundits are telling people not to panic it occurs to me that this is yet another scenario of the banks closing their eyes and hiding their heads in the sand and hoping the problem doesn’t really become an issue. They are claiming that anyone trying to take advantage of this defect will have to carry around a backpack full of equipment and have wires hanging out their sleeve…bullshit…my iPhone runs a 1 GHz processor, I am sure that itcan trick a card terminal with an $0.21 micro-controller in it, tell me where I am in the world, balance my cheque book…all while updating my facebook status. Hiding a device in my hand or up my sleeve to help me use a stolen card is not a big technological stretch. The store clerks will be none the wiser.
Why leave the hole open at all…all the cards, debit and credit, work as normal using the magnetic stripe, without relying on the Chip and PIN protocol. Why no just turn it off altogether until a fix is found (unlikely) or a better protocol is developed?
Just like everything else the banks and credit card companies do, it is easier to deal with fraud as a cost of doing business. Factor it in to the interest rate the way they always have, make it the consumers problem. Nothing can get in the way of making money.
WHAT CAN I DO?
To protect yourself you should call your bank, call your credit card company, ask them what they are doing about this problem. Insist that vendors process your card the normal way, they all have this ability as they have to deal with older cards. Pay cash, ATMs are not affected as they will operate off the magnetic strip. Go to a vendor that is not enabled for Chip and PIN yet…they will get the picture soon enough and put pressure on the banks themselves.
Make it your responsibility to understand what is going on…do not assume technology works just because it is new.