Beat the Chip & PIN security scare
A flaw in the Chip and PIN security system that protects our credit and debit cards has been uncovered - which allows thieves to make purchases and withdrawals without being identified. We uncover the latest security scare - and show you how to stay safe.
A fatal flaw in the Chip and PIN security system that protects the 66 million debit and credit cards in the UK has been uncovered by researchers at Cambridge University. The loophole means stolen cards can be used in shop terminals and bank cash machines without needing to key in a specific four-digit security number.
The Cambridge scientists found that it is possible to attach a small chip to the back of a typical card that can bypass security measures within Chip and PIN terminals. This chip can be controlled by a small transmitter bought from any high street electronics shop allowing the user to insert any four random numbers. The chip on the back of the card overrides the terminal to approve the transaction.
The loophole uncovered is serious - but there is as yet no proof that criminals have been exploiting it. Since Chip and PIN was introduced on Valentine's Day 2006 fraudulent losses on high street transactions on the UK have actually fallen dramatically - in 2004 total losses were nearly £220m. Last year, in contrast, they were just £98.5m.
Nonetheless, overall fraud trends are rising - annual figures released this month from watchdog CIFAS show a 9% rise in fraud overall and a huge 32% surge in identity fraud over the course of 2009.
So, are you at immediate risk? Not necessarily - it's worth remembering that it's usually quite difficult for thieves to raid your current and credit card accounts - even if they have details such as your bank account number, sort code, address or date of birth - as extra layers of security are always needed.
Even so, it still pays to be vigilant. Fortunately, there is action you can take to stay safe.
Practical ways to stay safe
The most important - and very simple step - to keep safe from fraud is simply to know what's happening to your account at all times. Sign up for online banking at lovemoney.com and check all your accounts with one log-in, daily - it's a simple two-minute habit that will help you budget more efficiently, as well as keeping your money safe.
If you notice any fraudulent withdrawals or purchases on your account, notify your bank immediately. Fraudulent transactions can appear on your statement without your card having left your possession. There have been a growing number of cases with banks refusing fraud refunds, citing negligence on the account holder's part - rapid reporting of suspicious transactions can help ensure you get a refund.
To ensure you're never at risk, it's also worth checking your credit report. Suspicious activity can remain undetected for months - your account may have been checked out even if no funds were taken. This could do damage to your credit status - fortunately, you can check your credit report for free with a trial of an Experian credit-checking service.
It's also worth regularly changing your Personal Identification Numbers (PIN) and telephone or internet banking passwords regularly - particularly if you've used, for example, your child's name or your date of birth. Never write any of your security details down and when tapping your PIN in at the cash machine, keep your transaction safe from prying eyes - even this unsophisticated "shoulder surfing" can still yield opportunities for fraudsters.
Beat online security threats
Perhaps the other vital measure to protect your cards is to ensure that your financial details are safe from online fraudsters. Again, this isn't difficult but just requires getting into a few good habits.
First of all, make sure your PC's anti-virus and firewall software is up to date - you can find free protection from a number of sources, including Microsoft's Security Essentials suite. It provides full anti-virus protection, as well as malware detection and removal.
A powerful free alternative is the Avast anti-virus package - unlike with the Microsoft package, anti-spyware software to help detect dormant malicious code is built-in and it too offers automatic regular updates.
This should provide most of the protection you'll need to shop and bank online with confidence - but you'll still need to adopt a couple of good habits. First of all, know how to spot danger signs when shopping on the internet - fortunately, it's easy to spot bogus websites that could see your card details fall into the wrong hands.
When it's time to make a transaction, look for a small padlock in the right-hand corner of your browser (top right for Apple users). This shows that the security of the website is verified by a third-party security agency. Also, note that the beginning of the web-address will start "https:" rather than "http" - the 's' stands for secure. In most up-to-date browsers, the address bar will change colour to signify that you are on a secure server.
And finally, NEVER respond to an unsolicited email - even if it looks like it comes from your bank or an official retailer. One giveaway is slightly misspelt company names in the email or URL - e.g 'Barcclays' instead of Barclays.
Do I need to pay for ID fraud protection?
Many banks are now offering "identity theft protection" products that protect your account fraud - typically charging £6.95 or more a month. Yet if you follow the steps outlined above, you don't need to pay for peace of mind. To repeat, you will be refunded any money stolen from your account as a result of identity theft, provided you have not been negligent.
Watch our video The Scams That Make You Shiver to discover more ways the fraudsters try to get us to part with our cash, and head to our Q&A section to get the answers to your fraud questions.
Most Recent
Comments
-
Chip and pin is slightly more secure than the old signature system to the extent that most people like myself sign slightly differently every time, the problem is of course any crook can tap in a pin number it takes a reasonably competent forger to copy a signature and offers the banks some solid evidence to check if there is a dispute. The big problem with cards is currently internet ( first purchase must be to the cardholder address 5 minutes later they can max out your card to the address of your choice and world fraud ( i.e. the use of copied card details on a card with a random signature used in a country where the chip and pin number isnt used. Luckily nobody has developed an effectivekeylogger equivalent that connects to a phone line as this and cracking the code would create almost unlimited access to card details at any point on the telecomms system. I have heard rumours they are trialing a new system to replace chip and pin with chip and fingerprint, makes more sense to me. Ahhh the dream of no more 12 different pin numbers now if we could just convince the banks to let me put all my accounts on one card so I dont have to carry a wallet that looks like it contains the original ten commandments...
REPORT This comment has been reported. -
No, tommills, the police are not interested. One reason for this is that the banks refuse to co-operate with them. This (I was told by a CID officer later) is partly because the banks do not want any record anywhere of how big this problem really is. It would destroy confidence in the banking system worldwide. The most the police can do is record the crime. Even if evidence comes to light, the banks do not want to pursue it. I know that the recording of the person trying to access my account via telephone banking still existed when I reported my fraud; I know it was due to be kept on the Co-op bank systems for another 8 hours. I know that by the time the officer called the Co-op it had been deleted. He told me this happens a lot - the banks are not interested in co-operating with the police. The CID officer I later spoke to had CCTV footage of new cards issued in my name being used in several London jewellers to buy expensive watches, but he couldn't do anything with the footage - Barclaycard didn't want to proceed with an investigation, even though they'd lost £13k. A tip (also tip from the CID officer I spoke to). If you are the victim of identity theft, and you have any idea whatsoever about who could be responsible for stealing your card, details or identity information, DO NOT SAY SO either to the bank or the police. The usual arrangement for credit card or bank loss with identity fraud is that you (the card or account holder) are NOT the victim - the bank elects to carry the loss, which makes THEM the victim. You are merely a witness. If the bank or credit card company (usually also a bank) thinks that you gave your details away through negligence in any form - and this is what will be supposed if you give a name of someone you suspect - then YOU will become the victim, and THEY will become the witness. In other words, you will have to to foot the bill because the bank will refuse to refund you. Least said...
REPORT This comment has been reported. -
I think for your online banking pin sentry is probably the most secure. I haven't cracked it yet! But scam email from China and Russia are on the increase and should be guarded against. I had a Youtube video embedded in a website a few days ago that said my flash player didn't work. Normally you click and it downloads a new one from Adobe; I clicked without being careful and the new one contained 7 viruses. I have deleted 6 of them and still hunting down number 7! I also had an email account hacked. That was the Chinese again. I think that is happening because of address book sharing and that is something I'll refuse all website from now on. But we tend to work so fast now it's easy to get caught. I'm not worried about the Cambridge findings because it's possible doesn't mean criminals will do it. But Einstein said imagination is more important than knowledge and now they are imagining that they can do it; maybe they will try. I use an ATM about every 3 months and those aren't a problem. I only use a card in a store about every 2 years and any unusual spending on mine is flagged and they phone me and i just tell them to refuse it.
REPORT This comment has been reported.
Do you want to comment on this article? You need to be signed in for this feature
23 February 2010