A recent incident in Colorado is highlighting that the four-digit “PIN” passcode you enter to use your debit or credit card isn’t a failsafe to hide it from crooks.
Thieves compromised the checkout lane kiosks that process credit card purchases at a series of Safeway stores. That’s nothing new – such kiosks are responsible for the vast majority of credit card breaches in recent years. But law enforcement officials are alarmed by new “skimmers” that are able to lift PINs from the machine.
It might surprise you to learn that most security experts place little faith in a four-digit passcode as a sole solution to keeping your data safe from thieves, for several reasons.
Because they break the law for a living, we tend to think of criminals as evil, poor and inept. To the contrary, successful criminals must continually improve their tactics in the security fraud race to stay one step ahead of law enforcement. Fraud is an arms-race with billions of dollars at stake, and the cutting-edge techniques of years past must be continually refreshed. For instance, the United Kingdom has seen increases in fraud involving chip and PIN cards as criminals have adapted to the technology.
In Colorado, investigators are working to determine if the software in the kiosks was altered or if the perpetrators replaced the old machines wholesale with near-perfect replicas that intercept customers’ most valuable data and send it to a computer they control.
The hacked kiosk, called a “man in the middle” attack in security lingo, is a new phenomenon here in the U.S. In Europe, “chip and PIN” cards were introduced years ago, and criminals there have spent that time fine-tuning their techniques to a level of sophistication.
One of the more colorful attacks, as recounted by Ross Anderson, a professor of security at Cambridge, was used in sketchy establishments most popular for bachelor parties. The proprietors of such places would hack the payment machines to display normal purchase amounts that then prompted customers to enter their PINs. But behind the scenes, the hacked machine would send an obscene charge, say $3,000, to the card. Customers embarrassed to reveal they were frequenting such “dodgy” establishments chose not to pursue the matter. For those that did, the clubs would claim the customers simply didn’t remember their wild evening.
Banks and credit card companies are embroiled in a debate with retail stores over security issues where stores are often the weakest link in the security chain.
The banks are moving towards the next generation of security tools: tokenization, encryption and other techniques that are designed to thwart the man in the middle attack. These tools may include, but could also replace the PIN – which because of its short length can be cracked with “brute strength” (i.e., testing each possible password one by one) – with a much more complicated, computer-strength password. The more complex password would reside on the user’s device, instantly improving the short and simple passwords people tend to use in order to remember them.
On the other side of the debate, retail stores have been slow to adopt the EMV technology that can process the more secure chip cards in their checkout lanes. Recent surveys have shown that 60% to 75% of retailers are not EMV ready.
Retailers appear to be advocating the PIN technology as a mandated solution primarily for business reasons. First, stores face different liabilities for fraudulent purchases depending on how the purchase was made, so many storeowners see the PIN technology as a way to push liability away from their pockets.
Second, a more complicated political motive may explain the push for the technology. Representatives for the retailers appear to be using the chip and PIN debate to distract from massive data breaches that occurred on the back end of the retailer’s systems, something a PIN would not prevent.
From a security perspective, those are fairly bad excuses to advocate a single approach and not in the interest of the consumer.
In the meantime, it’s important to stay vigilant as consumers, and embrace all techniques that make it harder for thieves to steal our information.