Tuesday 17 June 2008

Attack of the (Card) Clones 2: The End of Chip & Pin?

Just three months after I had my debit card cloned, I was telephoned by my bank yesterday to say that it had happened again. Rather than Sri Lanka like last time, on this occasion people were trying to use a copy of my card in Indonesia and the Philippines. This suggests that there are sophisticated networks between small towns in Hampshire and locations right across South Asia to scan and send on the information about debit cards. The last occasion really woke me up to the dangers of having your card cloned and I had been very careful where I used it, restricting myself to one supermarket and two petrol stations, but clearly this was not enough. I remembered I used it at a nature reserve in the New Forest and at a swimming pool in Dorset, but those hardly seem places where the staff would be involved in such crime, but perhaps I am wrong. It is clear that to someone in a low-paid job in a petrol station, providing card data to criminals who approach them and offer them a slice, is a very attractive proposition. As regular readers will know I drive a lot around the South of England and I heard that one Dorset petrol station I had used in the past had been raided by police because 25 cards had been cloned there. Interestingly though, talking to the bank special investigations team yesterday they told me not to always blame petrol stations (though Shell stopped the use of chip and pin for most of last Summer because £1 million had been scammed through its service stations) and that nowadays criminals will sit on a cloned card for a while before using it so that you cannot work out where the likely place was where it was cloned.

Personally, this latest incident will lead me to start carrying around more cash than I have for ages. With my weekly petrol bill having risen from £30 (€38; US$59) to £48 (€61; US$94) in the last year, I will need quite a lot and of course that opens me up to having my pocket picked or being mugged for the money, old fashioned crimes. More broadly such regular crime raises the question whether the chip & pin approach has been a complete failure. The introduction last year of chip & pin to shops seemed to bring us in line with countries like France which I know had had the system since the early 2000s and it seemed to be more of a secure system than signing had been. However, by making the whole thing electronic it also meant that the transaction it is entirety can be transmitted to a waiting cloner. I never had problems with any cloning until this year; signing for me was a safe system, though I accept the banks may have seen it differently. Now, though I have absolutely no confidence in the chip & pin system as I have been warned by my bank and others that even cashpoint machines (ATMs in the USA) can be rigged to scan my card. So I step back say 30 years and go and queue at my bank every couple of weeks to get cash out over the counter. This of course will be even worse news for banks who like to get people out of branches and using as much electronic equipment as possible as it reduces their overheads greatly.

The chip & pin system seems to have failed to provide the security it promised. Will it be abandoned? I imagine the next step will be to introduce those small coding units which most of us now have to use when banking online. You put your card into that and type in the amount of money you want to spend and so on and it generates a one-use code number which you then enter into your online facility. If you have a string of payments you have to go through the process for each one. Now this will slow things up in supermarkets, but I can see a time very soon when people will carry these around to generate a unique number every time they use their debit card so that even if it is cloned, the cloners will lack the necessary one-use number. Now it means lots of complex programming for all the shops and so on to use a system like this and transactions will take longer (but much quicker than cheques used to be, people forget what it was like shopping in a supermarket when cashiers had to read the price off everything and type it in) and people are not tolerant at delays in shops even of the length which were common just 20 years ago.

The alternative is to do what my father and now myself are doing, go back to cash. The Germans did this up until the 1990s. Whereas in the UK we gave out credit cards to every student when they started university, in (West) Germany you could not even get one until you were earning about DM60,000 (about £18,000 per year in those days), there were not cashpoint machines in any great numbers and people even bought cars in cash. The trouble in the UK is that the largest denomination note around is the £50 note (€63; US$98) and even then you rarely see it and pubs and some shops will not take it, so you are stuck with the £20 note (€25; US$39) whereas if we used euros you can get the €100 (£78; US$155), €200, €500 notes. I know the €200 (£156; US$310) and €500 (£390; US$775) notes cannot be used in certain locations such as petrol stations, but they are there if you want to buy a car or a plasma television or whatever in a way that they are not in pounds sterling. To buy my last car which cost £1600 I would have needed 80 notes, 32 notes if I could get £50 ones; in euros I could have done it with 5 notes. For me the age of chip & pin in shops is over, it is back to cash.

No comments: