Do not use Chip & Pin at Tesco

May 10th, 2006

>> When I use a shop with the “swipe and dock” design card readers (such
>> > > as Tesco) that read your magstripe, chip and ask for a PIN, I despair
>> > > that so many consumers are being taught to accept having their cards
>> > > skimmed in this way.
>> > >
>> > >
> > The PIN is encrypted in the keypad. So do the reports say how it has
> > been recovered?

It is not encrypted in the keypad under the SDA system used in the UK. (There is a more expensive DDA system in which it is encrypted, using the card’s public key, but UK banks prefer not to pay an extra dollar for cards that are capable of public key crypto.)

The effect is that the PIN travels in the clear from the Tesco PIN pad to the swipe-and-dock reader on the side of the checkout girl’s PC. So it can be captured by the PC software, along with the transaction data (which even in the case of a chip[ transaction contains all the information you need to clone a mag stripe card). In consequence I will not use a card at Tesco.

It’s not even necessary to Trojan the keypad (and the Shell terminals were Linux-based, so might have been reflashed rather than had their hardware hacked – we’ll have to wait for the trial to find out).

The first such scam I came across was in Holland where a petrol station attendant got PINs by eyeball and for the card data from a network sniffer. That was in 1994. The same technology will still work fine today.

And I recall that when I predicted all this, a year or two ago, the APACS lady said I was speaking ‘tosh’…

You know, maybe someone should make a formal complaint to the police against APACS for fraud. Fraud is misrepresentation leading to prejudice, and 15 years of persistent lying about ATM system security – to enable their member banks to deny genuine claims from customers who have been the victims of crimes resulting from the banks’ own negligence – must surely fall within that definition.


This is yet another reason to not shop at Tesco.

Leave a Reply

You must be logged in to post a comment.