Friday, February 12, 2010

Security? Sometimes it's just an illusion

Today was not a good day in the world of banking and electronic transactions.

Here in New Zealand, we lead the world in our uptake of EFTPOS as a way of making payment for goods and services. Indeed, when I visited the USA a few years back, I was gobsmacked at just how far ahead we were.

While our retailers were all providing electronic card-swiping and PIN numbers as a way of delivering instant electronic payment, the Americans were still hauling out their zip-zap and asking for a signature -- positively archaic!

However, none of this super-smart electronic payment stuff would be worth a bean if it weren't secure.

Imagine if people could intercept your transaction and use the data contained in it to fraudulently perform other, unauthorised transactions involving your money in your bank account.

Ah, but that could never happen right? After all, these EFTPOS terminals have some pretty wicked security stuff that encrypts the data and makes such things impossible. What's more, the new cards even have a super-secure chip built into them that must surely make them invulnerable to fraud...

Right?

Well apparently it's not impossible, at least if you use your card in Europe.

According to this story, researchers have been able to demonstrate just how simple it can be to thwart all this alleged security.

Scary stuff indeed!

By installing a bit of extra equipment and some software between an EFTPOS/Credit-card terminal and the bank's computer, fraudsters could effectively collect quite significant sums of money from unwitting customers -- and it gets worse (if you're one of those customers).

In the normal kind of credit-card fraud, where a card's details are cloned or simply taken an used online, the card-holder is indemnified against loss. In such cases it's the merchant who is left carrying the cost of fraudulent transactions because no PIN was used to verify that the card was being used by the authorised holder.

With this new kind of exploit, the legitimate cardholder is actually entering a valid PIN so, from the bank's perspective, it *is* an authorised transaction, therefore it's the customer's liability -- just as if you'd had cash stolen from your wallet.

Clearly the banks need to go back and have a think about this situation and exactly how secure their electronic payment systems really are.

It's not known if the same vulnerabilities and customer-liabilities exist on NZ's EFTPOS network but it might just be worth contacting your bank to find out.

If this proves anything, its simply that anything done by man can be undone by another man, especially if he's after your money.

Remember, there's no such thing as absolute security, the best you can hope for is that the systems you rely on are 'secure enough'.

No comments:

Post a Comment