Written by The recent announcement about the Shell garage skimming fraud must have sent a chill through the hearts of many parts of the card industry.
It certainly seems to have upset pin pad supplier Trintech who, in direct contradiction to what I was taught on my PR crisis management course, are ignoring press enquiries about the issue.
An APACS spokesman says, "machines should be tamper-resistant. That didn’t happen on this occasion and has led to the criminals being able to perpetrate old-style mag stripe fraud but in a ‘new’ location."
This mystifies me. Devices of this nature have to go through rigorous certification processes – so if there was an issue with tamper resistance, why wasn’t it caught at that stage?
The only bit of good news is that this wasn’t a Chip and PIN fraud. It was a PIN and magnetic stripe fraud and presumably until cards no longer carry magstripes that will continue to be a risk.
It looks like the devices may have been taken away by “repairworkers.” Tamper-resistance isn’t really up to that.
(Click below … although that is the un-ssl version.)
Indeed – although it strikes me that there’s a subtext of blame shifting there. Shell should have procedures to deal with equipment repair – forecourt assistants frankly can’t be expected to judge what is and isn’t fishy.
Seems to me there is an inherent defect with the idea of ‘tamper proof’ PIN pads.
Firstly, a cleverly designed keypad overlay would mean that no tampering was needed. Press the overlay, the PIN is captured, but at the same time the key press is mechanically sent through to the real key pad. The many different devices out there would make a well designed key pad overlay difficult to spot.
Secondly, a device that looked like a real pad but merely captured the PIN could be used. Then the customer is told “sorry that device has been playing up, use this one”. No tampering at all required here either.
The issue, as Jane Adams has said, is the magstripe, and that is not going away for a very long time.