[Dave Birch] On his excellent blog, Jerry Fishenden (Microsoft’s National Technology Officer UK) mentions chip and PIN security and talks about the recent press over Shell service stations not accepting chip and PIN cards (I bought petrol at a Shell garage in Woking today and had to sign for it) after fraudsters installed devices underneath the keypads that cached details of card numbers and PINs.  Jerry correctly points out that this was about financial fraud, not identity fraud.  But there are clearly ramifications for identity cards and if we’re going to be responsible we need to tackle the public’s concerns.

Technorati Tags: , , , ,

If companies or governments issue ID cards that can be authenticated with PINs, then this kind of fraud will be repeated, except that the bad guys will be stealing ID card PINs instead of bank card PINs.  But what does that matter in a world of two-factor authentication, where the bad guys needs the cards and the PIN in order to execute an attack? After all, identity cards won’t have a magnetic stripe "fallback" option, so it’s hard to see how to get away with anything.
So, rationally, the Shell fraud doesn’t really mean much for ID fraud.  Yet it is a very undermining kind of fraud.  It tells members of the public that they cannot trust the terminals — of whatever kind — that they are putting their cards into.  It’s really hard to know what to do about this, because unless terminals are in a wholly secure environment, they will always be subject to attack.  And if the terminals are made wholly tamper-resistant, then they will simply be replaced by subverted terminals.
What is critical is that obtaining the card details and PIN does not enable an attacker to create counterfeit cards.  In practical terms, this means that ID cards must have similar cryptography to EMV DDA cards (ie, public key cryptography) which naturally means a slightly higher price.  But it’s a price worth paying.
(Incidentally, a podcast from Jerry will up here this week).

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: