Royal Dutch Shell Group .com Rotating Header Image

The Sunday Times: Chip and pin ‘makes fraud even easier’

The Sunday Times May 14, 2006

Chip and pin ‘makes fraud even easier’

The original Catch Me If You Can con man says Britain’s new card system is wide open to abuse. By Jessica Bown

CHIP-AND-PIN systems introduced to foil credit and debit-card fraudsters are making it easier to commit certain types of financial crime, a reformed con man warned last week.

Frank Abagnale, whose life story inspired the Leonardo DiCaprio film Catch Me If You Can, served five years for fraud after posing as an airline pilot, a doctor and a lawyer and cashing $2.5m (£1.3m) of fraudulent cheques between the ages of 16 and 21.

NI_MPU('middle');

Now 58, he has used his skills to help the FBI fight fraud for the past 30 years and also works with CIMS, which offers identity-fraud protection services.

He does not believe that chip-and-pin technology, which requires transactions to be verified with a four-digit number rather than a signature, will prove much of a challenge for professional fraudsters.

The information sent out by the hand-held card reading devices used in restaurants is not encrypted, for example. Any criminals nearby with an information receiver can therefore capture the data, including the pin entered — actually making it easier for them to commit certain types of fraud.

Abagnale said: “Anyone sitting at another table with a laptop would be able to pick up the messages being sent to and from the card readers.”

His concerns about the vulnerability of chip-and-pin were reinforced last week by news that 600 Shell petrol stations have suspended use of chip-and-pin terminals after more than £1m was stolen from customers’ accounts. Fraudsters masquerading as engineers sent to test the equipment instead fitted the keypads with memory chips that logged customers’ card numbers and pin codes.

They then used the information to plunder accounts by making counterfeit cards and using them to withdraw cash from cash machines. Fraudsters were only able to clone the cards’ magnetic strips, rather than the chips, but many ATMs are not yet fitted with chip readers and therefore still use the strips.

The Association of Payment Clearing Services (Apacs), which masterminded the introduction of chip-and-pin in Britain, admits the technology used by Shell failed in this instance.

Mark Bowerman of Apacs said: “We are confident that this problem is specific to the type of keypad that Shell uses. But chip-and-pin keypads are supposed to shut down when tampered with so that part of the technology has obviously failed in this case. We are working with the manufacturer to ensure that this doesn’t happen again.”

One plus point for proponents of chip-and-pin is that the criminals did not use the fake cards to make purchases from other retailers because they could not clone the chips.

However, Abagnale believes that it will not be long before they find a way to crack the system completely. He said: “There is no foolproof system. Anything devised by a man or a woman can be defeated.”

Criminals are also targeting chip-and-pin users by fitting cash machines with a device that captures card data and positioning a camera nearby to record customers’ pins.

This can be done either by posing as a cash-machine maintenance man, or by bribing bank employees to allow them access to the dispensers. There have also been cases of dishonest shopkeepers installing cameras to record the numbers that customers key in.

Figures do suggest, however, that the introduction of chip-and-pin has initially helped to cut overall card fraud, which fell from £504m in 2004 to £439m last year.

Card-fraud losses also fell in France when a pin-based payments system was introduced in the 1990s. Sceptics say this was because criminals targeted less advanced countries such as Britain instead. Now that option is no longer open to them, they are expected to make use of today’s technology to find ways round the system.

Another unfortunate side effect of chip and pin has been to boost internet and telephone credit-card fraud, known as “card-not-present”, for which criminals do not need to know your pin. The cost of this kind of card crime leapt from £151m in 2004 to £183m last year.

NI_MPU('middle');

The government claims its controversial plan to introduce identity cards will help to cut fraud losses. A Home Office spokesman said: “Identity cards should help to cut fraud and we have taken other measures, including increasing the penalties for possessing false identification documents.”

Fears are growing, though, that identity cards will simply make life even easier for fraudsters. Abagnale said: “Within six months the new identity card will have been replicated perfectly. And because it condenses all the information on an individual in one place, the fraudster won’t have to find it.”

His approach is to avoid online banking and pay for everything on a cashback credit card that he pays off at the end of each month. Abagnale said: “I don’t use a debit card because that’s putting my own money at risk. Instead, I put the liability for any fraud on to my credit-card company.”

But this may not work for much longer, because he thinks lenders will soon begin putting more liability on customers.

WAYS TO PROTECT YOURSELF FROM FRAUD

  • Never give out your pin. Neither your bank nor the police will ever ask for it.
  • Only give out card details over the phone when you have instigated the call.
  • Never write down your pin and remember to shield it when keying it in to make a purchase in a shop or restaurant.
  • Check paper and online statements from your credit card company or bank carefully as soon as you get them and query any transactions you do not recognise immediately. You should also check your credit file regularly by contacting a credit reference agency such as Callcredit, Equifax or Experian.
  • When shopping on the internet, only use secure websites that display a locked padlock or an unbroken key icon in the bottom right corner of the screen. Internet shoppers can also sign up to the anti-fraud services Verified by Visa or Mastercard Secure Code.
  • Never use an e-mail link to get to a website where you are going to enter your personal details. Instead, type the site address directly into your internet browser.
  • Buy a criss-cross shredder and use it to destroy any old documents that include your bank or personal details. Sales of document shredders have rocketed in the past 12 months. However, documents cut into vertical strips using a linear shredder are easy for criminals to reassemble.
  • If you are selling an old computer, check that you have wiped all personal details first. Up to 50% of computers sold on Ebay contain bank-account and credit-card numbers.
  • This website and sisters royaldutchshellplc.com, shellnazihistory.com, royaldutchshell.website, johndonovan.website, and shellnews.net, are owned by John Donovan. There is also a Wikipedia segment.

    Comments are closed.