The system can easily be adapted for deterring theft when purchasing goods via the Internet, mail order, fax or by phone.

Together we can beat fraud, well we certainly can reduce it.

My concern now is the extra 3 digits on the back of the card. Why are these of any use? If a criminal has the card then they will have the three digits as well!

Chip and pin is the worst system for so-called security I have ever come across. Who invented it? Margaret

I have visited your site many times since retiring (early) from a bank. I’m sure you can check my visits from this comment. I might be grey and balding but I’ve stayed current. 12 years with a PC and 9 of those with an online connection have made me aware of the nasties “computers” bring with them. Sadly, Government and commerce only see what they want to and need to.

The world is changing. Banking is changing.

Challenging business values is not a popular concept in sales cultures. My closing 18 months or so involved me in more contact with electronic fraud and identity theft than the entire preceeding 32 years.

Your knowledge, expertise and integrity is to be highly commended.

How does the challenge/response get from the hacked card to Carol’s laptop?

We used a wire (see the photo), but it would be plausible for an attacker to create a wireless version. As we only wanted a proof of concept, doing it wired was adequate. Still, in the run up to the programme, we tried holding onto our card during normal transactions, as if there was a wire, and nobody was bothered.

How many takes?

We were on location for about 7 hours on Friday, but they didn’t get all the shots they needed so came back on Monday for about 5 hours. The problem was that they only had one camera, so on Friday, they had the real terminal on the same table as the fake one. This meant they could film it all in one shot, but after talking to their editorial policy folks, they realised they weren’t able to show the restaurant scenario.

So on Monday they came back, but by that time Saar had left for Germany so I had to rope Robert into letting me borrow his laptop and help me set everything up. This was especially problematic since Saar built pretty much all of the hardware, and I didn’t have much experience in using it. However, we successfully performed the relay attack, through two shops, so they could use the footage of the restaurant.

How many of those were due to the tech and how many to the luvvies?

Actually our kit successfully performed the transaction first time, on both occasions, which is a credit to Saar’s engineering. It took a bit of tweaking for it to pass the self test, but once it did, the real transaction went through smoothly.

What took most of the time was the working through the explanation of what happened, as each shot had to be done several different times, for each of several different camera angles. The street outside the shop is pretty busy, so it was also hard to find a time when there were no people doing anything too silly in the shot (the crew took a while to get rid of a drunk who was fascinated with the proceedings).

Great and you don’t seem to be nearly ugly enough to keep in infosec as a profession (ask Richard :).

Just two questions, which I will understand if you don’t or can’t answer …

1. How many takes?

2. How many of those were due to the tech and how many to the luvvies?

S-E

This then potentially allows the shop to have read the card magstripe (cloneable and useable in an ATM) and the PIN from the keypad.

The Chip and PIN initiative should have emphasised that the card reader and PIN entry *must be on the same physical device* . These composite tills undermine customer safeguards.

When are bank ATMs going to go all-chipcard ?!