I didn’t want to write about fraud yet again, but…

[Dave Birch] The U.K. remain Europe’s largest exporter of card fraud, and it looks as if this year we’re going to do even better than last year. Total card fraud last year was UKP 535 million (about a billion dollars) but the half-yearly figures for 2008 are predicting a full year well in excess of UKP 600 million. The prospects of fraud reducing remain, I think, slightly gloomy. SDA clones (of French cards, luckily) have already been found in Europe and I would imagine that we’ll begin to see SDA cloning on a large scale over the next twelve months as the ICVV base expands. When you add this to the lack of a mass market solution for EMV in the Internet/MOTO environment, there is no possibility of U.K card fraud falling over the next year. 3D-Secure technology (Verified by Visa and MasterCard SecureCode) has not even dented the problem. Despite the fact that nearly 20 million cards have been registered for 3DS in the U.K., and the fact that a tenth of e-commerce transactions are already 3DS verified, the CNP fraud figures are increasing remorselessly. I have heard some anecdotal evidence that some customers are switching from cards that are 3DS to cards that are not, simply because they can’t be bothered with the 3DS authentication when they’re buying online. And, rationally, why should they even care? Consumers are protected whether the transaction is 3DS or not so unless the retailers the incentivise them to use 3DS instruments, why would they bother?

At some point, I assume, fraud will get so bad that banks will be worried about it. That’s some way away, of course, since in the U.S. fraud is well under 1% in card portfolios that have bad debt well in excess of 6%, so I know which area will be attracting most management attention for the foreseeable future. It’s clear that chip and PIN isn’t going to crack the problem by itself, so we’ll have to start looking around for the next generation of card technology. Since the cards themselves will be disappearing into mobile phones, that would suggest that the banking sector begin ramping up their efforts in mobile. Which, of course, they already are.

By far the strangest chip and PIN security story of recent days, however, is the one about the POS terminals in British supermarkets that supposedly had extra components added at the factory in China and are sending card details to Pakistan via mysterious wireless technology.

Dr Joel Brenner, the US National Counterintelligence Executive, warned that hundreds of chip and pin machines in stores and supermarkets across Europe have been tampered with to allow details of shoppers’ credit card accounts to be relayed to overseas fraudsters.

[From Chip and pin scam ‘has netted millions from British shoppers’ – Telegraph]

There are several reasons why I am suspicious about this story. It talks about “invisible” components being added to the POS terminals so that the tampered terminals are “undetectable” but then later goes on to say that the doctored devices weigh more than the kosher ones (and are therefore eminently detectable). It says that MasterCard boffins in Manchester (I think it means the MasterCard Analysis Laboratory in Warrington) confirmed the problem and that people have been going around weighing terminals in stores (which sounds like an April Fool’s joke to me) to spot the fakes. It also claims that the terminals with the undetectable modifications are sending card data to Pakistan via (it implies GSM) interfaces, which I frankly doubt.

What I think has happened is that the journalist has confused the well-known and extensive bogus terminal fraud going on in the U.K. (that we discussed two years ago) with some speculation from American sources (who don’t have chip and PIN, remember) and come up with a more exciting cloak and dagger version. To the best of my knowledge — which, I can assure you, is pretty up-to-date on this stuff — the tampering does not take place in the factories and it is not perfect or undetectable. What is actually happening is that largely Eastern European fraudsters are buying or stealing used POS terminals and adding card data loggers and memory. The POS terminals are often sourced in pairs, so that a complete bogus terminal can be made from the remnants of two non-bogus terminals (some of the parts are destroyed by tampering). The fraudsters collude with mainly Sri Lankan criminals to get the bogus terminals placed, generally at petrol stations and other high-traffic locations and often in collusion of low-paid retail staff. After a couple of weeks the bogus terminal is removed and replaced with the real terminal, and the fraudsters get thousands of card details and PINs from the memory. These details are then used to manufacture counterfeit magnetic stripe cards for use in foreign ATMs (in, for example, Bulgaria) and non-chip merchants (in, for example, the U.S.A.). This has little to do with Sainsbury’s or Asda — the journalist may be mixing in a recent BBC story that magnetic stripe counterfeiters were going to target U.K. supermarkets, although goodness knows why since most of them go online for stripe transactions — and since the integrated POS terminals used in Sainsbury’s and Asda connect only to the Sainsbury’s and Asda systems (not to the Internet!) they wouldn’t be able to send fraudulent data back that way anyway. What’s more, I know of no “teams” that have being going around Europe weighing POS terminals: I do know that one POS vendor suggested that weighing terminals might be one way of spotting tampering. The referenced security breach at Asda in Letchworth (which Asda claimed no knowledge of) is almost certainly a continuation of the petrol station-based fraud that has been going on in that area.

It was the nature of the claimed fraud that made me suspicious about the story to begin with. If the perps are using the card data to make CNP transactions, and merchants are accepting the card details without CVV, then “British shoppers” aren’t losing a penny: merchants are. Also, to the best of my knowledge, the data from compromised terminals (which is being collected by the loggers) is used to make cards for use in foreign ATMs and terminals, not to buy stuff on the Internet (especially stuff that needs a delivery address). Whether you believe the story or not (and I don’t), it’s generated some attention.

Think about it … how do you secure a factory that makes POS terminals (which is likely to be in a country where security is a big challenge to begin with), and the containers the products are put in for shipment, and the trucks or trains that take them from the factory to the seaport, and the ships that take them across the ocean to their destination markets, then another port and more trucks and trains, and the warehouse they end up in before being distributed via even more trucks to the merchants who finally put them on their countertops to take card payments.

[From Javelin Strategy and Research » A security hole in the payments supply chain]

This is a reasonable point to raise. How do you make the POS terminal supply chain secure? The answer is, of course, that you don’t. You put a security module (another smart card, essentially) inside the terminal so that the terminal doesn’t need to be secure. This changes the problem of making terminals secure into the problem of making smart cards secure, which is more likely to succeed. This is precisely how it works in the U.K. transport smart card scheme, ITSO where the data is encrypted between the card and the Security Access Module (SAM) so the terminal itself never sees data in the clear. Managing the smart card supply chain securely is something that banks, telcos and their suppliers already do, so it shouldn’t be too difficult for them to make it work.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]