Wednesday 17 June 2009

Insecure placing of Chip & Pin (PED) places Customers at Risk

Don't tell the misses, but I walked into a popular fast food restaurant in Central London today, I noticed the restaurant had fixed to the payment counter their Chip & Pin payment devices, these devices are known as Pin Entry Devices (PEDs) within the Payments Card Industry. The problem was they had fixed these devices behind the main raised counter, and the devices had no “pin protectors” on them, so forcing their customers to reach over a raised counter to the cashier's side, to type in the their 4 digit pin numbers. I observed several transactions taking place, each customer did not shield their pin entry with their free hand, probably because it would be too cumbersome to reach over the raised counter with both hands. The net result was most people in the queue and behind the counter could observe the 4 digit pin number as it was typed in.
This type of setup is a real goldmine for any potential pickpocket or mugger, as obtaining a payment card together with the pin number is a free license to withdraw hard money from cash machines and to spend freely in shops in the short term. The flipside is this is all very bad news for the victim, in such instances where payment cards are stolen together with the knowledge of the pin number, most card issuers and banks assume their customer is at fault, and must have written their pin number down and left it in their purse or wallet, and so are liable for any fraud losses. It can be very difficult to obtain refunds against fraudulent transactions losses in this type of scenario, not to mention the trauma of potentially being mugged for your card, remember the card has an instant high cash value if the pin is known, so the thief simply views the card as a wade of £50 notes

I am not saying shops should not screw down Chip & Pin devices to their shop counters. Fixing these devices to counters is actually a security necessity to prevent them from being “swapped out” by credit card fraudsters. Card fraudsters have been known to swap Chip & Pin machines when out of the sight of the cashier, then introduce a new identical looking and perfectly working device in it’s place. However the introduced device has been electronically modified by the card fraudsters to record each customer card details together with their pin number. After a few hours or even days, the criminals return and swap out their device and download all credit card details together with the pin numbers, and you know the rest.

So it is important for card security to attach payment entry devices to shops counters, and this is my main point with this post, merchants need to understand these payment devices are meant for their customer usage, not their own staff usage, so must present the pin entry devices on the customer side of the counter, so allowing the customer to put in their own card and enter their pin number without being overlooked by anyone.

Further there is really no excuse to not have pin protectors installed, especially as they don’t cost much. Merchants choosing to accept card payments do have a duty of care to protect their customers from card fraud, there is even an official security standards which they must follow called PCI-DSS.

 Chip & Pin (PED) with Pin Protector

While on this subject, I was at a popular catalogue shop outlet in Chorley a few months back, they too had fixed their Chip and Pin devices to the counter, but this time they had a CCTV camera aimed at the shop counter and their payment devices from a high angle. In their wisdom they had positioned a screen to display the CCTV images, so allowing everyone in the store to view people’s pin numbers as they typed them in. So it is important for high street merchants to position CCTV correctly within their card payment environments, and consider whether it is really a good idea to show the CCTV output to general public.
What can we do as consumers? Always keep possesion of your card at all times, avoid handing it over, even to cashiers and especially waiters. Always shield your pin number entry with your spare hand as you type as in the above picture.

Thursday 11 June 2009

A Clear CRB Check means They haven’t been Caught Yet!

Vanessa George, who worked at a Portsmouth nursery, stands accused of appalling sexual offences against young children. Already media reporters are queuing up in criticising the “enhanced Criminal Records Bureau (CRB)“ check, which this apparently despicable person passed, saying the check must of either failed or the CRB checking system itself is at fault. The CRB checking system has not failed nor is the CRB system at fault, as any seasoned security professional worth his salt will know, clear staff background checks does not guarantee an individual is not a dodgy person and is not capable of doing bad things. The truth is no background security check or test can ever provide a guarantee, whether it’s checking airport workers aren’t terrorists, checking child minders are suitable to be alone with children, or a data entry clerks aren’t data thieves.

Most organisations with staff dealing with financial information, government data or child care are required to carry out a CRB checks on their employees. Personnel whom pass these checks tend to be implicitly trusted by both their employers, and by the governing bodies which make the policies to have the checks done in the first place. As I always, always say, a clear background or CRB check simply means an individual has not been caught yet! Therefore individuals within their roles, depending on the organisation, should always be considered as a potential fraudster, a terrorist or indeed a sexual offender. By all means carry out background checks on staff, but never implicitly trust humans will not do bad things given an opportunity, only by accepting this together with assessing the internal risks staff can pose within their role, can we build the right security controls within processes and systems which will protect against internal staff threats.

Monday 1 June 2009

EU Elections & Hypocritical Privacy Protection Practices

I reluctantly posted my European electoral postal vote today, reluctantly because I considered not voting at all mainly due to a lack of an anonymous voting system, reluctantly because the European Union Parliament is not very democratic, in that unelected and non-accountable members of committees make the laws, not the people to whom I am being asked to vote to represent me as an European Union (EU) Member of Parliament.

Voting choice wise, there is no other option provided other than a postal vote, for whatever reason it is just not possible to vote at a traditional polling station, not in my area anyway.

The postal voting system involves enclosing a traditional ballet form within a pre-paid envelope, on which your full name is pre-printed with a unique ID number, your date of birth and your signature. Once sealed, the envelope must be placed into the public postal system as a “normal” letter, with its contents easily identifiable as a voting ballot (see picture). Should the envelope be lost (or stolen), then the person in possession will have obtained your full name, your date of birth and your approximant area of resident, from which it is child's play to establish your full address, which ironically can be found on the electoral role, which is publicly searchable. The voter also needs to sign the envelope in order for the vote to count, so your signature is part of the package of information, which is more than enough for identity thieves to start cloning your identity and stealing credit in your name.

Aside from the personal identity theft concerns, your political beliefs can also be discovered, assuming you didn’t spoil the ballet paper! Under European Data Protection Directives (laws) an EU citizen’s political beliefs is classed as “Sensitive Information”, the highest form of information classification.  The EU Information Commission would be most upset if a company were to ask or send out such information by public post; however it appears the EU must be above their own laws.

And those volunteers who open and count the ballet envelopes will be privy to your political beliefs, more than likely they will be from the same area and so could know who you are. Hmm I wonder who Mr. Smith at number 24 voted for?  While the bar codes sporting a unique number for each envelope will sure throw fuel on the conspiracy theorists fire, and they wonder why turn outs for EU elections are so low.

In the end I reluctantly posted my vote after reflecting on the millions of people who died to give me the right to vote in Europe during the last century. I concluded it was worth risking my financial identity out of respect to those who risked and lost their lives, fighting for the right for a just, fair and anonymous voting system and a democratic and accountable government system. Whether we are now taking backwards steps in Europe must be up debate, and whether such democratic debate can actually lead to changes in laws..