On a recent visit to a local supermarket I noticed something new being displayed on the keypad before the transaction starts:
(“Did you know that you can remove the PIN pad to enter your PIN?”)
Picking up the keypad will allow the cardholder to align it such that bystanders, or the merchant, cannot observe the PIN as it is entered. On the one hand, this seems sensible (if we assume that the only way to get the PIN is by observation, no cameras are present, and that even more cardholder liability is the solution for card fraud). On the other hand, it also makes some attacks easier. For example, the relay attack we demonstrated earlier this year, where the crook inserts a modified card into the terminal, hoping that the merchant does not ask to examine it. Allowing the cardholder to move the keypad separates the merchant, who could detect the attack, from the transaction. Can I now hide the terminal under my jacket while the transaction is processed? Can I turn my back to the merchant? What if I found a way to tamper with the terminal? Clearly, this would make the process easier for me. We’ve been doing some more work on payment terminals and will hopefully have some more to say about it soon.
Handling the terminal is also good for helping cardholders detect a cleverly mounted tampered terminal, if they know what to look for (on occasion I examine terminals at shops but try not to seem too eager as I’m never sure if “it’s OK, I’m a researcher” would get me out of trouble). According to APACS‘ “Retailer advice“, terminal tampering is recognized as a very real threat (unfortunately, it assumes that merchants are universally honest). It is interesting to read that they actually recommend that merchants place a CCTV to cover the till area, but only such that the cardholder’s PIN cannot be observed. I wonder how that is reconciled with encouraging the cardholder to move the pad.
In this context I should mention that earlier this year we’ve seen Ingenico attempt at protecting against PIN observation by using “ViewSafe“, a magnifying glass mounted on top of the keypad such that the keys can only be viewed from the cardholder’s vantage point. The design has two main flaws, though. Firstly, the magnifying contraption is retractable when it should be fixed, and secondly, it provides a convenient setting for mounting a camera. The first trial was in our local Cambridge Boots store, so I had a few opportunities to see that none of the terminals had the magnifying glass in its “operational” state. I couldn’t find references to how successful the trials were and if these magnifying glasses are now more widely used.
Keypads need to be removable to allow disabled people, for example in a wbeelchair, to use them.
A small amount of fraud seems resonable to make the system open to all.
That ViewSafe terminal looks as if it’s quite easy to see that the user is pressing the “8” key. It’s not what they’re looking at that matters, it’s what their fingers are doing.
Argos self service kiosks use terminals with no human supervision whatsoever so presumably attacks are easier there.
Also possible to use these to get quite high value and resalable goods (plasma TVs etc)
Gavin: This is just anecdotal, but whenever I’ve used the self service kiosks at Argos, staff have always asked to see (and handle) my card before handing over the goods.
With apologies for following up my own posting, I used a kiosk at an Argos a couple of days after writing the above and was able to leave with the goods without ever showing my card to a human.
Thereby demonstrating the risks involved in basing an argument solely on anecdotal evidence.
“Many victims have been loyal customers of their bank for decades and have never made a claim for fraud in the past, such as Iain Richardson, 44, an Oxford-based business manager for golf courses … At NatWest, £250 was withdrawn from a cash machine and a further £1,800 in an over-the-counter transaction using chip and Pin – but the bank refuses to refund the cash. This is despite the fact that it has forwarded CCTV footage of the criminals on to police … Iain is furious at being labelled incompetent: ‘They said I was irresponsible with my Pin number, but I said there is no way that could have happened. I have had the same Pin for six years and haven’t written it down anywhere. I recited the 12-digit number on the card then and there, as well as the Pins to all of my debit and credit cards. I don’t forget things easily.”
http://www.thisismoney.co.uk/saving-and-banking/article.html?in_article_id=425103&in_page_id=7&ito=1723