Monday, August 14, 2006

Technological Arbitrage

I've not heard that phrase before but it's a good one.

Bruce Schneier links to an article about the supposedly more secure "Chip and Pin" credit/debit card system that was recently introduced to the UK can be circumvented by cloning the magnetic strip (i.e. the "old" technology) and then using it at a location that knows nothing about the new system (in this case an ATM in India).

I've heard stories of it happening in the UK too where a merchant hasn't upgraded their systems - or where banks haven't upgraded their ATMs. Indeed, I wish I could find one story I read that described how the presence of a chip on a card is encoded on the magnetic strip... so you can get even an upgraded ATM to fallback to the older magnetic strip technology simply by changing that bit on the strip.

2 comments:

andyp said...

Interesting - how long does it take to get the card to India? I would have thought that the owner would have cancelled it by then.

Mind you, we walked out of a shop in Windsor yesterday and my wife left her card behind in the C&P machine, second time that has happened - at least this time we discovered the problem before we went home!

Chip and Pin sucks. First of all, it's a cynical effort by the banks and retailers to shift the burden of responsibility for fraud onto the consumer. Secondly, Internet transactions are unaffected, so get the card number and the 3-digit security code, and you're in business anyway.

andyp said...

Ah right, just re-read this, you said cloned...