1. If you use C&P you have No statutory protection in law. If someone steals your money, you can go to your bank and ask for it back but the bank is a signatory of the Banking Code, which isn’t law, so they can give it back, or not, or some portion thereof.
2. Credit Cards have statutory protection under the CCA. Debit cards don’t. So those that payed for their Excel holidays with Debit cards didn’t get their money back but people who used credit cards did get their money back.
3. The 5 major high street banks reported tidy profits in 2007 (but not recently) of 38M GBP. A fair chunk of this came about because the banks persuaded people to do their work for them. ‘Do online banking and the world is yours’. What nobody (especially the banks) told the GrtBritPub is that a fundamental shift in responsibility was occurring.

I don’t do online banking and never have, so if I go into my bank and offer a check for cash for 500 pounda and the clerk says we’re very sorry Sir, but your account is empty, then I can say to the clerk ‘ What have You done with my money?’ AKA if you don’t ever do online banking then the bank has sole responsibility for the proper disbursement of funds. Once you do online banking, then the individual is also responibile for appropriate disbursement of funds. If anything goes wrong then the bank can say ‘Oh well sir, you must have got a virus or keystroke logger or whatever. We aren’t giving you your money back’ AKA the bank has just been given someone else that they can blame, rather than previously, they were solely responsible for proper disbursement of funds.

The banks have a large incentive to persuade people that online banking is safe & secure because for every 1000 or 5000 people that do it, that’s one less teller the banks have to employ or one less branch they have to keep open.

So what does this have to do with keeping your money safe?

As the researchers here have admirably pointed out Chip & Pin is not secure, so don’t use it. PEPs are not secure, so don’t use them unless you have statutory protection, in law. Which means use a credit card not a debit card.

Limit your exposure, as mentioned in the main article. I have a Credit Card with a 2,000 GBP limit and also a Credit Card with which I can buy a very nice new car. I keep the latter in case an operation in foreign parts, or other emergency, makes it use imperative. I’ve not used it yet. Other than that abuse of the 2,000 pound credit card is unlikely to rain on my parade while the fraud gets sorted out in my favour because I’ve got statutory protection in law.

The main problem is that that most people do not know the statutory difference between a debit card, a credit card and what doing online banking actually means.

I would also add: to play fair with the banks: I’ve told my bank not to honour transactions outside of the UK unless I’ve informed them that I’ll be wherever from this date to that date.

I’m constantly amazed at the number of bright, intelligent people who do not realise the above.

Now I use cash only from bank cash machines and refuse to use c&p as a rule, only when I absolutely have to. What annoys me is the banks make us use this technology without any consultation, thought for old people (my mother has very bad arthritis, and finds keypads difficult to use).

There are two types of mag cards in standard use, I would presume (but don’t know for sure) that the UK cards use HiCo (since the chips make them more expensive, they probably want the stripe to last). If that is the case, than it will take more than a simple magnet to erase a HiCo track.

But there are scenarios where doing a PIN change transaction is more dangerous than not, particularly if you assume the HSM API is not totally broken. At the very least doing a PIN change will generate some types of data (which may or may not be cryptographically protected) which makes it easier for attackers to chose our particular account to attack. A PIN change transaction might also generate some type of crypto-data that will make the oracle attack easier (again assuming a semi-good HSM API).

At one point we were going to present this to a standards organization, but I changed jobs before that came to fruition - so I have to assume most details on the Lloyds-TSB implementation are still proprietary. But I can say that the real solution requires the PAN and account number(s) to be cryptographically tied together, and the HSM API to evaluate that relationship before it produces reference PIN values for the changed PIN.

Interesting comments about PIN change. I agree that there are plenty of dangers back at the verifying host/HSM. To a point I think it’s still true that no-one gives a toss about these despite the published body of attacks. That said, the latests Visa PIN security requirements publicly available do talk about locking down functionality at switches to only the API calls which are required, which is a step in the right direction.

However, I’m not sure I see how you can avoid being the victim of these attacks by not changing your PIN? From what we have both said, if the PIN blocks are rarely bound to a particular account, then once you have a known PIN you can attack any account of your choice. So change your PIN or not, it’s a risk. But maybe I have misunderstood your attack hypothesis?

One of the scariest things I heard recently is that some international stand-in PIN auth centres don’t have proper retry counters that are synched with the main DB, or dont maintain state information overnight. So you can try 3 pins in the UK, and then internationally 3 PINs daily, until you just luck out against a particular account. Not that anyone would bother with such an attack, now it’s so easy to skim PINs at POS.

Mike.

While I’ve seen some good systems (I helped design the Lloyds/TSB crypto protocols), I’ve also seen some very insecure implementations too. I’ve been out of the financial security standards racket for a while (not since 2005), but last I knew these types of transactions fall into the poorly regulated area of on-us transactions.

There are two basic problems from the cryptographic protocol standpoint. The first is that the card number and the account numbers it accesses are not the same thing. Thus you have the problem of making sure that the PIN change transaction is only applied to the proper accounts.

Another problem is at the TRSM API level (something the principles of this blog should know a bit about :-), where a naively implemented PIN change function gives attackers many different shots at a successful oracle attack against the PIN. Care must be taken to differentiate (with cryptographically enforced typing) the reference PIN (or hash), the trial PIN, and the changed PIN. Relying upon hashed PINs for a reference is problematic too (especially the older algorithms with 4 digits and a high number of synonyms).

Most implementations I’ve seen of PIN change transactions ignore all of these issues. They allow the use of any reference PIN as the “changed” value, and do a dandy job of PVN generation. Does anyone know if the UK has put any standards into place in this area? If not, PIN change at the ATM is functionality that I would hesitate to use (except at Lloyds-TSB, because I happen to know how that one works).

Happy Christmas. I don’t see cheap looking cards making all that much of a difference. If you have an operation in place to skim cards, why discriminate? In some cases, the people who get paid to put tampered PEDs in their shops also earn money per card skimmed; they are not the ones going to the ATM to get cash with it.

Still, if you make your Black Card look like a debit card from an unknown bank you may save yourself from being targeted for other types of crime; though you’d lose the show-off factor .